Vulnerability Description
An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allowed JavaScript running on any domain to interact with the server APIs and perform administrative actions, without the victim's knowledge.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Connectwise | Control | 19.3.25270.7185 |
Related Weaknesses (CWE)
References
- https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-ExploitThird Party Advisory
- https://know.bishopfox.com/advisoriesThird Party Advisory
- https://know.bishopfox.com/advisories/connectwise-controlExploitThird Party Advisory
- https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulneThird Party Advisory
- https://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chaiThird Party Advisory
- https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-ExploitThird Party Advisory
- https://know.bishopfox.com/advisoriesThird Party Advisory
- https://know.bishopfox.com/advisories/connectwise-controlExploitThird Party Advisory
- https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulneThird Party Advisory
- https://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chaiThird Party Advisory
FAQ
What is CVE-2019-16517?
CVE-2019-16517 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a CORS misconfiguration, which reflected the Origin provided by incoming requests. This allow...
How severe is CVE-2019-16517?
CVE-2019-16517 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-16517?
Check the references section above for vendor advisories and patch information. Affected products include: Connectwise Control.