CVE-2024-1709:
Authentication bypass vulnerability in ConnectWise ScreenConnect <= 23.9.7 (patched in 23.9.8) that allows a remote attacker to bypass authentication via an alternate path or channel, potentially gaining direct access to confidential information and critical systems.
Score
A numerical rating that indicates how dangerous this vulnerability is.
10.0Critical- Published Date:Feb 21, 2024
- CISA KEV Date:Feb 22, 2024
- Industries Affected:20
1 DaysThreat Predictions
- EPSS Score:94.3
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:CHANGED
Impact
- Score:6.0
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Authentication bypass vulnerability in ConnectWise ScreenConnect <= 23.9.7 (patched in 23.9.8) that allows a remote attacker to bypass authentication via an alternate path or channel, potentially gaining direct access to confidential information and critical systems.
Overview
This CVE describes a high-severity authentication bypass in ConnectWise ScreenConnect prior to 23.9.8. The flaw allows an attacker to bypass authentication through an alternate path or channel, resulting in direct access to confidential data or critical systems without requiring user interaction. The issue is rated critical (CVSS 3.1: AV network, AC low, PR none, UI none, SC changed, C/H/I/A high) and was publicly disclosed with active exploitation reported in multiple security outlets prior to the patch.
Remediation
- Upgrade to ScreenConnect to version 23.9.8 or newer as soon as possible, following the vendor’s upgrade and patching guidance.
- If immediate upgrade is not feasible, implement compensating controls to reduce exposure:
- Limit exposure by placing ScreenConnect behind a VPN or restricting access via a firewall and IP allowlists.
- Disable or tightly restrict external/public access to the ScreenConnect admin interfaces.
- Enforce network segmentation and least privilege for management components.
- After patching, verify the update to ensure the version is 23.9.8 or newer and that the remediation is in place.
- Monitor security logs and alerts for indicators of exploitation or anomalous authentication attempts; search for new admin accounts, unusual login times, or configuration changes.
- Consider additional hardening steps (if not already in place): implement MFA where supported, rotate credentials, and ensure regular backups and an incident response plan.
- Review vendor advisories and CVE-specific guidance to validate any environment-specific mitigations.
References
- - [ConnectWise Security Bulletin: ConnectWise ScreenConnect 23.9.8](https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8)
- - [Huntress: Vulnerability reproduced immediately; patch ScreenConnect 23.9.8](https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8)
- - [Huntress: Detection guidance for ConnectWise CWE-288-2](https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2)
- - [Bleeping Computer: ConnectWise urges admins to patch critical RCE flaw](https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/)
- - [GitHub: watchtowrlabs connectwise-screenconnect_auth-bypass-add-user-poc](https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc)
- - [GitHub: Metasploit Framework PR #18870](https://github.com/rapid7/metasploit-framework/pull/18870)
- - [Horizon3 AI: Red team deep dive on connectwise-screenconnect-auth-bypass](https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/)
- - [TechCrunch: Researchers warn high-risk ConnectWise flaw under attack](https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/)
- - [SecurityWeek: ConnectWise confirms ScreenConnect flaw under active exploitation](https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/)
- - [Huntress: A catastrophe for control—understanding the ScreenConnect authentication bypass](https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass)
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:*No Data*
- CISA KEV Date:Feb 22, 2024
- Days Early:1 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
