Using multiple security flaws in ConnectWise Control, hackers could create an “attack chain” that gives cyber-criminals the ability to hijack an MSP’s systems as well as their customers’ devices, security consultant Bishop Fox plans to announce Wednesday.
“One of our security researchers found these vulnerabilities. He deemed them severe enough to rate them as critical, and the attack chain so bad that we had to report them,” Bishop Fox Associate Vice President of Consulting Daniel Wood told CRN.
Chaining the vulnerabilities “would allow an attacker to execute arbitrary code on a victim’s Control server, as well as gain control of any client machines connected to a victim’s Control instance,” according to a post from Bishop Fox on what it calls the ConnectWise Critical (Zero-Day) Vulnerability Disclosure. read the rest here