Attackers Exploit New Vulnerabilities in ConnectWise ScreenConnect on a Large Scale

Two new vulnerabilities have been discovered in ConnectWise ScreenConnect, a popular remote desktop and access software used for support. The vulnerabilities are known as CVE-2024-1709 and CVE-2024-1708, with CVE-2024-1709 posing a significant threat to organizations.

CVE-2024-1709 allows remote attackers to bypass authentication and delete the ScreenConnect user database, gaining control of an admin user. This vulnerability affects ScreenConnect version 23.9.7 and earlier. There have been reports of widespread exploitation of this vulnerability, with over 3,000 instances of vulnerable software accessible from the internet. Attackers have been observed installing ransomware, information stealers, and Cobalt Strike payloads after successfully exploiting this vulnerability.

The less severe vulnerability, CVE-2024-1708, allows for path traversal, enabling an attacker to access files and directories that should not be accessible.

Huntress, a U.S.-based cybersecurity company, has released technical details about these vulnerabilities. They have found that exploiting CVE-2024-1709 allows an attacker to gain access to the ScreenConnect setup wizard, which is responsible for setting up the initial admin user and installing a license on the system. By completing a simple step in the setup wizard, the attacker can overwrite the internal user database and become the sole administrator of the software. This provides them with the ability to execute remote code on the compromised system.

A proof of concept for exploiting CVE-2024-1709 has been published on GitHub, demonstrating how to add a new user to a compromised system. Several attacks using this vulnerability have already been observed, with attackers dropping ransomware on customer networks.

In addition to ransomware, other cybersecurity attacks have been observed targeting vulnerable instances of ScreenConnect. These include password stealers, remote access Trojans (RATs), and Cobalt Strike payloads.

ONYPHE, a French cyber defense search engine, has identified thousands of exposed ScreenConnect instances, with the majority located in the United States.

To protect against exploitation of these vulnerabilities, ConnectWise recommends updating to the latest version of ScreenConnect (23.9.8 or higher). They have also taken steps to support partners who are not under maintenance by allowing them to install version 22.4 at no additional cost, which fixes the CVE-2024-1709 vulnerability.

In terms of detection, monitoring server logs for the pattern “/SetupWizard.aspx/” and monitoring the “%ProgramFiles(x86)%\ScreenConnect\App_Extensions” folder can help identify attack attempts.

Disclosure: The author of this article works for Trend Micro, but the opinions expressed are their own.

Unlock your business potential with our expert guidance. Get in touch now!

silenced-gagged-secret-Michael-adobe.jpg

Post Office Criticized for Deleting Comments on IT Scandal from Social Media

Whitehouse-fotolia-scaled.jpg

When Leaders Overlook Cybersecurity Guidelines, the Entire System Suffers

Police-crime-2-adobe.jpg

Police Digital Service Board Director Resigns Months After CISO’s Departure

surveillance-CCTV-facial-recognition-Gorodenkoff-adobe.jpg

Essex Police Reveals ‘Incoherent’ Facial Recognition Evaluation

chatbot-1-fotolia.jpg

Podcast: RSA 2025 – Navigating AI Risks and the CISO’s Role

hybrid-cloud-storage-fotolia.jpg

Trump’s Visit Strengthens Saudi Arabia’s AI Initiatives

threat-management-fotolia.jpg

Security Tests Uncover Major Vulnerability in Government’s One Login Digital ID System