On February 20, 2024, we published a security bulletin detailing newly disclosed authentication bypass and path traversal vulnerabilities in ConnectWise ScreenConnect. Shortly after the bulletin was sent, ConnectWise updated their security bulletin with IOCs from observed active exploitation of these vulnerabilities.
On February 21, 2024, the vulnerabilities were assigned the following CVE numbers:
- CVE-2024-1709 (CVSS: 10): Allows a threat actor to achieve authentication bypass by leveraging an alternate path/channel.
- CVE-2024-1708 (CVSS: 8.4): A path traversal vulnerability that is caused by the improper limitation of a pathname to a restricted directory.
Furthermore, on February 21, several Proof of Concept (PoC) exploits for these vulnerabilities were made publicly available. Huntress published a blog article detailing their findings of recreating their own PoC. The exploits were described as “trivial” and “embarrassingly easy”, as demonstrated in John Hammond’s video showcasing the exploitation of CVE-2024-1709, resulting in Remote Code Execution (RCE) being effortlessly attained.
Arctic Wolf assesses with high confidence that threat actors will increasingly target these vulnerabilities in the near-term due to their ease of exploitation and potential to achieve Remote Code Execution (RCE). Additionally, ScreenConnect is extensively utilized as a Remote Management and Monitoring (RMM) tool in enterprises spanning various industries worldwide, making these attractive vulnerabilities for a range of malicious threat actors.
Recommendation CVE-2024-1709 & CVE-2024-1708
Upgrade ConnectWise ScreenConnect to Patched Version
Due to the severity of these vulnerabilities and the low complexity in exploiting it, Arctic Wolf strongly recommends that all customers running on-premise versions of ConnectWise ScreenConnect update as soon as possible to protect against further widespread exploitation that is expected to result from these vulnerabilities. Arctic Wolf recommends upgrading to a latest fixed version of ConnectWise ScreenConnect, (at a minimum version 23.9.8), to mitigate the vulnerabilities.
| Product | Affected Versions | Fixed Version | Latest Version |
| ConnectWise ScreenConnect | 23.9.7 and prior | 23.9.8 | 23.9.10.8817 |
Please follow your organization’s patching and testing guidelines to avoid operational impact.
ScreenConnect Cloud Users: No action is required as the ScreenConnect servers hosted in the screenconnect.com cloud or hostedrmm.com have been updated to address the issue.
References
- AW Blog (ScreenConnect Vulnerabilities)
- ConnectWise Security Bulletin
- Huntress Blog (PoC)
- CVE-2024-1709 Exploitation Demonstration Video
See other important security bulletins from Arctic Wolf.
