CVE-2024-1709 & CVE-2024-1708: Follow-Up: Active Exploitation and PoCs Observed for Critical ScreenConnect Vulnerabilities

Share :

On 20 February 2024, we published a security bulletin detailing newly disclosed authentication bypass and path traversal vulnerabilities in ConnectWise ScreenConnect. Shortly after the bulletin was sent, ConnectWise updated their security bulletin with IOCs from observed active exploitation of these vulnerabilities.

On 21 February, 2024, the vulnerabilities were assigned the following CVE numbers:

  • CVE-2024-1709 (CVSS: 10): Allows a threat actor to achieve authentication bypass by leveraging an alternate path/channel.
  • CVE-2024-1708 (CVSS: 8.4): A path traversal vulnerability that is caused by the improper limitation of a pathname to a restricted directory.

Furthermore, on February 21, several Proof of Concept (PoC) exploits for these vulnerabilities were made publicly available. Huntress published a blog article detailing their findings of recreating their own PoC. The exploits were described as “trivial” and “embarrassingly easy”, as demonstrated in John Hammond’s video showcasing the exploitation of CVE-2024-1709, resulting in Remote Code Execution (RCE) being effortlessly attained.

Arctic Wolf assesses with high confidence that threat actors will increasingly target these vulnerabilities in the near-term due to their ease of exploitation and potential to achieve Remote Code Execution (RCE). Additionally, ScreenConnect is extensively utilised as a Remote Management and Monitoring (RMM) tool in enterprises spanning various industries worldwide, making these attractive vulnerabilities for a range of malicious threat actors.

Recommendation for CVE-2024-1709 & CVE-2024-1708

Upgrade ConnectWise ScreenConnect to Patched Version

Due to the severity of these vulnerabilities and the low complexity in exploiting it, Arctic Wolf strongly recommends that all customers running on-premise versions of ConnectWise ScreenConnect update as soon as possible to protect against further widespread exploitation that is expected to result from these vulnerabilities. Arctic Wolf recommends upgrading to a latest fixed version of ConnectWise ScreenConnect, (at a minimum version 23.9.8), to mitigate the vulnerabilities.

Product Affected Versions Fixed Version Latest Version
ConnectWise ScreenConnect 23.9.7 and prior 23.9.8 23.9.10.8817

Please follow your organisation’s patching and testing guidelines to avoid operational impact.

ScreenConnect Cloud Users: No action is required as the ScreenConnect servers hosted in the screenconnect.com cloud or hostedrmm.com have been updated to address the issue.

References

  1. AW Blog (ScreenConnect Vulnerabilities)
  2. ConnectWise Security Bulletin
  3. Huntress Blog (PoC)
  4. CVE-2024-1709 Exploitation Demonstration Video
Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Categories