CVE-2022-36781

MEDIUM 5.3

ConnectWise - ScreenConnect Session Code Bypass

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

ConnectWise ScreenConnect versions 22.6 and below contained a flaw allowing potential brute force attacks on custom access tokens due to inadequate rate-limiting controls in the default configuration. Attackers could exploit this vulnerability to gain unauthorized access by repeatedly attempting access code combinations. ConnectWise has addressed this issue in later versions by implementing rate-limiting controls as a preventive measure against brute force attacks.

Vendor	connectwise
Product	screenconnect
Published	Sep 28, 2022
Last Updated	Sep 16, 2024

Stay Ahead of the Next One

Get instant alerts for connectwise screenconnect

Be the first to know when new medium vulnerabilities affecting connectwise screenconnect are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

ConnectWise / ScreenConnect

22.7 < 22.6*

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gov.il: https://www.gov.il/en/Departments/faq/cve_advisories

Credits

Gad Abuhatziera Sophtix Security LTD