Vulnerability Details : CVE-2023-25719
ConnectWise Control before 22.9.10032 (formerly known as ScreenConnect) fails to validate user-supplied parameters such as the Bin/ConnectWiseControl.Client.exe h parameter. This results in reflected data and injection of malicious code into a downloaded executable. The executable can be used to execute malicious queries or as a denial-of-service vector. NOTE: this CVE Record is only about the parameters, such as the h parameter (this CVE Record is not about the separate issue of signed executable files that are supposed to have unique configurations across customers' installations).
Vulnerability category: Denial of service
Products affected by CVE-2023-25719
- cpe:2.3:a:connectwise:control:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-25719
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-25719
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2023-25719
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-25719
-
https://cybir.com/2022/cve/hijacking-connectwise-control-and-ddos/
Hijacking Connectwise Control & Screen Connect (v.22.9.10032, MULTIPLE) for Fun and Profit - From DDoS to Multi-OS RCE! - CYBIR - Cyber Security, Incident Response, & Digital ForensicsExploit;Third Party Advisory
-
https://www.connectwise.com
MSP Technology | IT Management Software | ConnectWiseProduct
-
https://www.connectwise.com/blog/cybersecurity/the-importance-of-responsible-security-disclosures
The Importance of Responsible Security Disclosures
-
https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity
Clearing the Air: Overblown Claims of Vulnerabilities, Exploits & Severity
Jump to