CVE-2019-16516

moderate-risk
Published 2020-01-23

An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username.

Do I need to act?

!
38.2% chance of exploitation in next 30 days
EPSS score — higher than 62% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
50618
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (2)

Control
Control

Affected Vendors

Connectwise

References (12)

Exploit http://packetstormsecurity.com/files/165432/ConnectWise-Control-19.2.24707-Usern...
Exploit https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-...
Third Party Advisory https://know.bishopfox.com/advisories
Exploit https://know.bishopfox.com/advisories/connectwise-control
Third Party Advisory https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulne...
Third Party Advisory https://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chai...
Exploit http://packetstormsecurity.com/files/165432/ConnectWise-Control-19.2.24707-Usern...
Exploit https://blog.huntresslabs.com/validating-the-bishop-fox-findings-in-connectwise-...
Third Party Advisory https://know.bishopfox.com/advisories
Exploit https://know.bishopfox.com/advisories/connectwise-control
Third Party Advisory https://www.crn.com/news/managed-services/connectwise-control-msp-security-vulne...
Third Party Advisory https://www.crn.com/slide-shows/managed-services/connectwise-control-attack-chai...
45
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 17/34 · Moderate
Exposure 7/34 · Low