Now, some news that’s not so good.
I mentioned the ConnectWise ScreenConnect patch on Tuesday’s show. ConnectWise has now confirmed that hackers are actively exploiting the flaw.
Cybersecurity company Huntress on Wednesday published an analysis of the actively exploited ConnectWise vulnerability. Huntress security researcher John Hammond told TechCrunch that Huntress is aware of “current and active” exploitation, and is seeing early signs of threat actors moving on to “more focused post-exploitation and persistence mechanisms.”
Huntress CEO Kyle Hanslovan added that Huntress’ own customer telemetry shows visibility into more than 1,600 vulnerable servers.
“I can’t sugarcoat it — this shit is bad. We’re talking upwards of ten thousand servers that control hundreds of thousands of endpoints,” Hanslovan told TechCrunch, noting that upwards of 8,800 ConnectWise servers remain vulnerable to exploitation.
Piotr Kijewski of the Shadowserver Foundation advises checking for signs of compromise and patching, as the majority of vulnerable ScreenConnect instances (93%) are still unpatched, and noted that there were roughly 3800 installations.
And updated yesterday, As part of this release, ConnectWise has removed license restrictions, so partners no longer under maintenance can upgrade to the latest version of ScreenConnect. On LinkedIn, ConnectWise CISO posted “ConnectWise has taken steps to suspend non-patched versions of ScreenConnect pending on-prem partners upgrading to the latest version.”
Why do we care?
Those stats are from Tuesday. That’s a wide swath of customers. This particular issue spread quite far in the news ecosystem, and I wanted to highlight that.
ConnectWise took quite a step to suspend earlier versions. I’m in favor of vendors taking aggressive actions on security vulnerabilities, forcing action. This isn’t entirely altruistic – they have a responsibility for the software they create. It can be both the right thing to do, and the only thing to do.

