+4
Under review

SECURITY ISSUE --- CWC / ScreenConnect client allowing connections back to home computer

Chris Meyers 4 weeks ago updated by cbsd.ops 1 week ago 6

SCENARIO: User working from home connects to at-office computer via ConnectWise Control (CWC / ScreenConnect). At a random point in the day the session disconnects. The user goes back into the CWC user webpage to MY ASSIGNED MACHINES.  Their at-office computer is no longer listed BUT their at-home computer is listed.  The at-home computer was never setup with the CWC agent.

PROBLEM: Per CW support this is known issue. They are failing to see the major SECURITY concern though. The at-home computer was never setup with CWC/ScreenConnect and is never supposed to be connected to. The at-home computer is a client only and should only connect TO the at-office computer... no one should ever be able to connect to the at-home computer.

But that is exactly what happens when this security bug manifests itself. Once the bug activates, the at-home computer is now able to be connected to remotely.


CONDITIONS:  This has occurred to multiple users over our workforce involving multiple types of computers, OS's, ISP's, etc. It has happened to multiple versions of the CWC agent.

ConnectWise Control Version:
21.6
Server Affected:
Host Client Affected:
Guest Client Affected:
+1

Hi Chris,

We are sorry to hear about the issue you are experiencing. Please note that this issue is currently under investigation with the development. While I cannot provide an exact ETA on when a fix will be implemented, we are working towards it.

+2

Rishikesh, we have experienced the same issue.

This is a critical security vulnerability that needs to be fixed.

Saying that you can't provide an ETA is not good enough for a bug of this severity.

You need to discuss with your leadership team and provide a solution immediately.

+1

We have just experienced this issue as well.

We spent an hour trying to verify what happened, and ensuring we didn't make any errors, only to see this post.

This is a critical security issue, and needs to be fixed immediately.

+1

Hello Thomas - Sorry to hear you are experiencing the same issue.

Support had asked us to "update our cloud instance" last week. We did this and now experience the problem daily with new users. Generally the user doesn't even notice the ComputerName change in the "My Assigned Machines" and ends up clicking on their at-home computer (where they are connecting FROM). So the user ends up connecting to themselves and CWC client ends up drawing the screen of the computer connecting to the computer connecting to the computer... ad infinitum. 

We believe the issue is related to the CWC "client" (ie. the software that you load on your at-home computer). It looks like the CWC "client" exe might be installing both the client and the host (ie. the software that's supposed to be loaded on the at-office computer). 

Any updates you have please let me know.

Please UPVOTE this thread if you can... helps more people to see it.

Regards - Chris

+2

Wowee this is a huge issue. Please CW get this fixed!!

+1

Same issue.  NOT good, as I could see home users machine and send commands to it.  This is a deal breaker, as this violates privacy and security protocols we have.  PLEASE address this issue promptly.