- PowerUp
- Posts
- This ConnectWise Vulnerability is a MEGA BIG DEAL! Here’s Why...
This ConnectWise Vulnerability is a MEGA BIG DEAL! Here’s Why...
Here's the good, bad and ugly on this ScreenConnect debacle. And some of the blame is on the MSP, too.

In today's rundown:
🔥🦉This ConnectWise Vulnerability is a MEGA BIG DEAL! Here’s Why…
😰 ConnectWise Dodged a Mega Huge Bullet On This One
🤷♂️ How Much of the Blame Lies with MSPs?
🤷♂️ Are We Really This Insecure in 2024?
🙌 ConnectWise is Indeed Taking This Seriously
💸 Cyber Insurance Might Have A Story On This One
🤐 Reputation Is All Important
🦹 Scammer Payback?
Read time: 9 minutes 👇
This ConnectWise Vulnerability is a MEGA BIG DEAL! Here’s Why…
By now I’m sure you’ve seen the news. ConnectWise disclosed a mega huge security vulnerability (we nerds call it a 10 out of 10 on the CVSS scale which is rare and as serious as things get.)
If you’re running ScreenConnect prior to version 23.9.8 — stop reading this and go patch it. This is not hyperbole. In fact, you’re probably already compromised. It’s that serious. And so am I.
Ok so before I get deep into this, let me just say a few things:
I’m not hating on ConnectWise for this vulnerability. They happen. All the time. To everyone. These things happen. And as you’ll see in this post, there’s quite a bit that ConnectWise has done right.
For the most part, ConnectWise has handled this quite well. They’ve been transparent. They are showing they truly care. But there are a few big things we need to talk about.
Ok with that out of the way, here’s a few things we need to jump into now.
ConnectWise dodged a mega huge bullet on this one
Since this security vulnerability is so serious, it’s literally trivial for a threat actor to compromise an entire organization at scale.
But there was a saving grace. The vulnerability was discovered and disclosed by a security researcher who apparently notified ConnectWise of the vulnerability.
ConnectWise took it seriously and handled things by the book. If you want more on this story, just read this article from Bleeping Computer. I won’t belabor those details.
But I will say this. The Owl got lucky.
Imagine if this vulnerability was discovered initially by a threat actor. Now we have a zero day on our hands with access to potentially hundreds of thousands of unsuspecting victims.
While reports are coming in of security incidents, the volume is minuscule compared to what would have happened the other way around.
Remember the Kaseya attack in July of 2020? It would’ve been much, much worse.
So count your blessings.
How much of the Blame Lies with MSPs?
Here’s another question I want to ask. Why are MSPs asking, and even demanding on-prem software in 2024? As my co-founder Kyle Christensen said:
“Many MSPs still act like sysadmins of 2007. They demand on-prem solutions and they feel it’s best practice to stay 1 or 2 versions behind the latest software. And in my experience, that usually leads them to being multiple versions behind.”
Great point. While I realize some regulatory requirements mandate on-prem, let’s be honest, this is such a minor percentage. (And really, those that are on-prem because of regulation, say CMMC, probably already have patched as they should have a mature vulnerability management process.)
So I wonder… will a vast majority of MSPs demanding on-prem for old time’s sake who then get popped finally wake up?
This whole ordeal really isn’t about laying blame. It’s about recognizing that as MSPs, some of our mistakes of historic inertia have come full circle to bite us in the rear.
Are We Really This Insecure in 2024?
Why is it that we’re in 2024 and we still have critical software that isn’t just heavily (and happily) sold as on-prem, but also comes with literally zero ability to control it’s capability and use?
I mean… yikes, friends. The first thing ConnectWise said after this vulnerability was that they immediately patched all cloud instances. Awesome! As you should.
But what about all the 6,000+ unpatched on-prem instances?
“Oh sorry, not much we can do there. You’ve just gotta patch on your own!”
To me, that’s not acceptable. The White House National Cybersecurity Strategy’s objective 3.3 is clear: It’s time to shift liability of insecure software products to the vendors themselves.
So I’ll just say it right here.
The whole “This is all on you! You should patch! Good luck!”… that whole boat ain’t gonna float.
ConnectWise needs to do more. Ought to do more. Must do more.
Don’t tell me you’re going to let 6,000+ on-prem ScreenConnect users who haven’t patched just sit idle like ducks. Not ok. I mean, yeah… it’s their fault for not patching.
But it’s clear that ConnectWise should be doing more about this. They need to take greater responsibility. Liability should lie with them. Figure out ways to take their vulnerable software offline. Get creative. Find a way.
Don’t tell me there’s no way to remotely address this issue. Come on… we’re in 2024. Have you not thought through security by design with the ability to do… oh, I don’t know… automatic software updates or the ability to turn certain vulnerable software versions off?
And if they CAN do it… why haven’t they? Are they afraid of it affecting their sales? Are they scared that turning off software might make them Big Brother?
And lastly… why are they still selling this on-prem? This ain’t 2004, folks.
Let’s just play this out. What happens if something MAJOR happens at scale and they’re deposed in front of Congress having to explain how they could’ve taken action but chose not to?
Not gonna fly.
ConnectWise is Indeed Taking This Seriously
Looking at how ConnectWise has handled this compared to previous security issues in their past, they are indeed taking this whole thing seriously.
While I’ve pointed out some things they could do better, I am overall impressed with the fact that they’ve been transparent, forthright, and open about everything.
Much of this progress is likely due to their CISO, Patrick Beggs. I think he’s been a solid addition to their team and have really helped ConnectWise understand how to mature their cybersecurity program over the past few years.
One example: ConnectWise is even offering the patch free to unlicensed users. That’s a good move. Security over profit. Good on them.
Cyber Insurance Cyber Insurance Might Have A Story On This One
So let’s play this out. Many security folks are saying this story isn’t done yet. There’s quite a few more security incidents that are going to happen.
We’re so new into this vulnerability that there’s no question some organizations are going to be hit by this.
So play this out from a cyber insurance perspective. Imagine they pay out on a whole bunch of breaches. (And they may have to. Because while many carriers mandate that their insureds patch within 30 days, we’re literally just two days into this thing. So they’re gonna have to pay out.)
What’s that going to do to many carriers?
No more Screen Connect. Maybe even: No more ConnectWise.
Super yikes.
That could cost them millions.
So yeah. ConnectWise really needs to take this seriously. More than they have so far. They truly need to take action now. Simply expecting end users to patch on their own just isn’t cutting it.
Reputation is All Important
My friend Mike Riggs made a great point last night. He said: “Wes, imagine the reputation risk for ConnectWise. They’ve already seen a firestorm with Screen Connect since it’s been used by threat actors over and over via a free trial.”
So true. ScreenConnect has been used nefariously for years. If this new vulnerability isn’t handled correctly, cleanly, and correctly, things could go from bad to worse.
Imagine EDRs blacklisting, even temporarily, their software. What if federal governments blocked ScreenConnect (or other Owl software) from its systems?
These things could happen. This isn’t a small issue. To quote my friend Kyle Hanslovan from Huntress:
“I can’t sugarcoat it – this s--- is bad. The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all.”
Scammer Payback?
Speaking of that quote from Mike Riggs… there could be a silver lining in this whole thing. If scammers and threat actors were using free trials of ScreenConnect over the years to carry out their evil deeds… just hear me out on this one…
What if a significant number of these vulnerable on-prem instances belonged to scammers? And what if those are the ones getting popped? Will we see security researchers finally get some payback? Will scammers scam the scammers?
Who knows. But if that happens, someone bring a dumptruck of popcorn over to my house, because I’m ready to sit and watch that mayhem all day.