ConnectWise fixes RCE bug exposing thousands of servers to attacks2 min read
ConnectWise has released security updates to address a critical vulnerability in the ConnectWise Recover and R1Soft Server Backup Manager (SBM) secure backup solutions.
The security flaw is due to an injection weakness described by the company in an advisory issued today as “Improper Neutralization of Special Elements in Output Used by a Downstream Component.”
Affected software versions include ConnectWise Recover or earlier and R1Soft SBM v6.16.3 or earlier.
Connectwise added that this is a critical severity vulnerability that could enable attackers to access confidential data or execute code remotely.
It also tagged it as a high-priority issue, as a flaw that’s either exploited in attacks or at a high risk of being targeted in the wild.
Discovered by Code White security researcher Florian Hauser and expanded by Huntress Labs security researchers John Hammond and Caleb Stewart, the vulnerability can be used to “push ransomware” through thousands of R1Soft servers exposed on the Internet, according to Huntress Labs CEO Kyle Hanslovan.
According to a Shodan scan, more than 4,800 Internet-exposed R1Soft servers are likely exposed to attacks if they haven’t been patched since ConnectWise has released patches for this RCE bug.
”Affected ConnectWise Recover SBMs have automatically been updated to the latest version of Recover (v2.9.9),” ConnectWise said.
On the other hand, R1Soft users were advised to “upgrade the server backup manager to SBM v6.16.4 released October 28, 2022 using the R1Soft upgrade wiki.”
The company also recommended patching all impacted R1Soft backup servers as soon as possible.
While patching critical vulnerabilities is always commendable, doing it at the end of the week, on a Friday evening, is unfortunate, if not dangerous, timing.
This is because threat actors will jump at the occasion to develop exploits and compromise any Internet-exposed servers left unpatched.
Weekends are also when attackers are the most active, given that most IT and security teams aren’t around to detect and stop their malicious activities.
The patch just dropped so I’d guess the majority of them are still vulnerable. I don’t believe there is any auto-updating functionality.
— Kyle Hanslovan (@KyleHanslovan) October 28, 2022
An end-of-the-week release also makes it harder to patch any vulnerable servers before the weekend, exposing more systems to attack for at least a few days.
To top it all off, the R1Soft SBM backup solution is a popular tool among managed service providers and cloud hosting providers.
An MSP’s R1Soft compromised server could lead to a security incident with a massive impact, making ConnectWise’s timing even more unfortunate.