Critical security advisory covering CVE-2024-1709 (CVSS 10.0) and CVE-2024-1708 (CVSS 8.4) — authentication bypass and path traversal vulnerabilities in ConnectWise ScreenConnect.
Table of Contents
- Module 1: Overview
- Module 2: Detect and Respond
- CVE Reference Table
- Attack Flow Diagram
- Vulnerability Technical Diagram
- Detection and Response Checklist
- MITRE ATT&CK Mapping
Module 1: Overview
What Is ConnectWise ScreenConnect?
ConnectWise is an IT service management platform primarily used for managing remote access servers and VPNs. Their product ScreenConnect is a remote access and management solution that:
- Securely manages computers, devices, networks, and endpoints
- Allows IT professionals to remotely log in to computers
- Manages configurations including patches, file management, and registry editors
- Includes powerful security features such as:
- Print protection
- Ransomware detection
- Auditing and compliance features
Because of its deep administrative capabilities, if an attacker gains access to ScreenConnect, the consequences are severe — full administrative control over all connected endpoints becomes accessible.
ScreenConnect is used extensively by Managed Service Providers (MSPs), which makes it a particularly high-value target: compromising a single MSP’s ScreenConnect server can cascade into attacks against every client and endpoint that MSP manages.
The Two Vulnerabilities
Two distinct vulnerabilities were disclosed, and they are most dangerous when used together:
| CVE | Type | CVSS Score | Severity |
|---|---|---|---|
| CVE-2024-1709 | Authentication Bypass | 10.0 | Critical |
| CVE-2024-1708 | Path Traversal | 8.4 | High |
As noted by the security firm Huntress in their analysis:
“This is not a vulnerability but a feature of ScreenConnect which allows an administrator to create extensions that execute .NET code as SYSTEM on the ScreenConnect server.”
However, this statement refers only to the extension execution capability in isolation. The full attack chain — authentication bypass combined with the path traversal/extension execution — transforms that feature into a full-blown remote code execution exploit requiring no prior authentication.
How the Attack Works
The exploit chain is composed of two sequential steps:
Step 1 — Authentication Bypass (CVE-2024-1709)
An attacker sends a crafted HTTP POST request to the SetupWizard.aspx endpoint. By manipulating the VIEWSTATE generator parameter within that request, they can force the server to create a new administrator username and password. This effectively gives the attacker full administrative credentials without needing any existing account.
This step is trivially automated. Proof-of-concept exploit code using Python to construct and send the POST message was publicly released on the same day the advisory was published (February 19, 2024).
Step 2 — Remote Code Execution via Extension Upload (CVE-2024-1708)
Using the newly created administrator credentials from Step 1, the attacker authenticates to the ScreenConnect administration panel and creates a malicious application extension. This extension contains arbitrary .NET code. Because the ScreenConnect service runs as SYSTEM, this code executes with the highest privilege level on the host machine.
The attacker now has unauthenticated remote code execution as SYSTEM on any vulnerable ScreenConnect server.
sequenceDiagram
participant A as Attacker
participant S as ScreenConnect Server
participant W as Windows (SYSTEM)
A->>S: POST /SetupWizard.aspx<br/>(crafted VIEWSTATE payload)
S-->>A: 200 OK — Setup wizard re-opened
A->>S: Create new admin user (attacker-controlled credentials)
S-->>A: Admin account created
A->>S: Authenticate with new admin credentials
S-->>A: Authenticated session
A->>S: Upload malicious .NET extension via API
S->>W: Execute extension code as SYSTEM
W-->>A: Remote shell / C2 beacon established
Affected Versions
Only on-premises installations are affected. Cloud-hosted instances were patched by ConnectWise before public disclosure.
| Deployment Type | Affected? | Action Required |
|---|---|---|
| Cloud-hosted (ConnectWise-managed) | No — already patched | None |
| On-premises (self-hosted) | Yes — all versions below 23.9.0.8 | Patch immediately |
Recommended action: Update all on-premises ScreenConnect servers to version 23.9.0.8 or later immediately.
ConnectWise also provided backported patches for older versions (23.9.0.7 and below), but the strong recommendation is to upgrade to the most recent release (23.9.0.8).
Note: As part of the emergency response, ConnectWise removed license restrictions for partners no longer under active maintenance contracts, enabling them to apply the patch even if their license had lapsed.
Scope and Business Impact
Using internet scanning tools (such as Shodan), researchers found 8,000 to 10,000 internet-facing ScreenConnect instances — and the actual number is likely higher, as Shodan limits results to 10,000 entries.
The true impact extends far beyond those servers:
- Each ScreenConnect server may manage hundreds or thousands of agent connections (remote endpoints).
- MSPs are the primary user base — compromising one MSP server grants access to all their clients’ environments.
- Threat actors can use compromised ScreenConnect servers as a pivot point to:
- Deploy ransomware across all managed endpoints
- Steal credentials and sensitive data
- Establish persistent command-and-control (C2) infrastructure
This vulnerability was described by Huntress as a “ransomware free for all” — providing exceptionally low-hanging fruit for opportunistic threat actors.
CISA and NSA Advisories Context
It is important to distinguish between two related but different threat scenarios involving ScreenConnect and similar Remote Monitoring and Management (RMM) tools:
Scenario A — Existing advisories (2023): CISA and NSA previously issued advisories warning that threat actors were installing legitimate RMM tools (including ScreenConnect, AnyDesk, etc.) as part of their post-compromise toolkit. After gaining initial access through phishing or other vulnerabilities, attackers deploy RMM software to establish a persistent, management-grade connection into the compromised environment, and then use it to rapidly deploy ransomware.
Scenario B — These vulnerabilities (2024): CVE-2024-1709 and CVE-2024-1708 are different — they allow an external attacker with no prior access to use ScreenConnect itself as the initial access vector. No phishing, no prior foothold required.
Both scenarios remain active threats. The 2023 advisories about RMM misuse remain relevant even for organizations that have already patched CVE-2024-1709/1708.
Active Exploitation in the Wild
ConnectWise initially stated there were no confirmed attacks following disclosure. They subsequently updated their advisory to confirm compromised accounts were reported.
Independent security firms also confirmed exploitation:
- Sophos confirmed observed attacks against servers and client machines, including post-patch exploitation (attackers were still exploiting unpatched servers).
- Huntress released a proof-of-concept on the same day as the advisory and noted widespread opportunistic exploitation activity.
The vulnerability was being actively exploited in the wild within hours of public disclosure.
Module 2: Detect and Respond
Risk Assessment and CVSS Scores
| CVE | CVSS Score | Vector | Key Risk Factors |
|---|---|---|---|
| CVE-2024-1709 | 10.0 (Critical) | Network / No Auth / No User Interaction | Highest possible score; trivial to exploit; public PoC available; pre-authentication |
| CVE-2024-1708 | 8.4 (High) | Network / Low Auth / No User Interaction | High impact; requires auth (provided by CVE-2024-1709); leads to arbitrary code execution as SYSTEM |
A CVSS score of 10.0 represents the absolute worst-case classification. This indicates:
- Complete confidentiality impact — all data accessible
- Complete integrity impact — all data modifiable
- Complete availability impact — system can be fully disrupted
- No authentication required
- No user interaction required
- Remotely exploitable over the network
Attack Surface Considerations
The risk is not limited to internet-facing deployments. Two distinct attack scenarios exist:
External Threat (Internet-Exposed Servers)
If the ScreenConnect service is publicly accessible on the internet, opportunistic threat actors continuously scanning the internet will detect it and exploit it rapidly. With public PoC code available, this process is nearly instantaneous after scanning.
Internal Threat (Laterally Accessible Servers)
Even if ScreenConnect is not internet-facing, an attacker who is already inside the network — through phishing, compromised credentials, MSSP access, or another exploit — can target the ScreenConnect server to:
- Escalate privileges to SYSTEM
- Move laterally to all machines managed by ScreenConnect
- Access systems and accounts previously out of reach
The takeaway: No deployment of ScreenConnect below version 23.9.0.8 is safe, regardless of network exposure.
Indicators of Compromise (IoCs)
ConnectWise’s initial advisory listed three IP addresses as IoCs. These IP-based indicators are of limited value because threat actors can trivially change their IP addresses or use large pools of addresses simultaneously.
More reliable and actionable IoCs are behavioral and log-based:
IoC 1 — Web Log: Requests to SetupWizard.aspx
POST /SetupWizard.aspx HTTP/1.1
Host: <ScreenConnect-server>
Content-Type: application/x-www-form-urlencoded
__VIEWSTATE=<malicious-payload>&...
Any request to SetupWizard.aspx on a fully configured system is suspicious. This endpoint should only be accessed during initial setup. Look for it in:
- IIS logs
- Apache access logs
- Elastic Load Balancer logs
- Azure/cloud proxy logs
IoC 2 — Extension Creation and Plugin ID
Following a successful authentication bypass, the attacker creates a malicious application extension. Look for:
- New extension registration events
- Unexpected plugin IDs added to the ScreenConnect configuration
- Unusual entries in the ScreenConnect extension database
IoC 3 — ConnectWise Service Spawning cmd.exe
The most definitive indicator of compromise:
Parent Process: ScreenConnect.Service.exe (or ConnectWise.exe)
Child Process: cmd.exe
Under normal operation, the ScreenConnect service should never spawn a command shell. If you observe this parent-child process relationship in Windows Event Logs or EDR telemetry, the system is compromised.
Similarly, watch for the ScreenConnect service spawning any of:
powershell.exewscript.execscript.exemshta.exerundll32.exe
IoC 4 — Outbound C2 Communications
After initial code execution, attackers typically deploy a persistent C2 agent (e.g., Cobalt Strike) to maintain access independent of the exploited vulnerability. Watch for:
- Unexpected outbound HTTPS connections on port 443 from the ScreenConnect server
- Beaconing behavior (periodic connections at regular intervals)
- Connections to newly registered or suspicious domains
- Connections to IP addresses with no DNS name
| IoC Type | What to Look For | Where to Look |
|---|---|---|
| Web Request | POST to SetupWizard.aspx | Web server logs (IIS/Apache/ALB) |
| Extension | New plugin/extension creation | ScreenConnect application logs |
| Process | ScreenConnect.Service.exe → cmd.exe | Windows Event Logs, EDR/XDR |
| Network | Outbound HTTPS from server on port 443 | Firewall logs, network monitoring |
| Auth | New admin accounts created unexpectedly | ScreenConnect admin audit logs |
Attack Chain and Log Evidence
flowchart TD
A([Threat Actor]) --> B[Internet Scan via Shodan/Censys\nIdentify exposed ScreenConnect servers]
B --> C[Send POST to /SetupWizard.aspx\nwith crafted VIEWSTATE payload]
C --> D{Auth Bypass\nCVE-2024-1709}
D -->|Success| E[New admin credentials created]
E --> F[Authenticate to ScreenConnect admin panel]
F --> G[Upload malicious .NET extension\nPath Traversal / CVE-2024-1708]
G --> H[Extension executes as SYSTEM\non ScreenConnect host]
H --> I[Stage 1: Initial Execution\ncmd.exe / PowerShell spawned by service]
I --> J[Stage 2: Deploy C2 Agent\ne.g. Cobalt Strike beacon over HTTPS port 443]
J --> K[Persistent Access Established]
K --> L1[Lateral Movement\nto connected managed endpoints]
K --> L2[Credential Harvesting\nActive Directory attack]
K --> L3[Ransomware Deployment\nacross all managed clients]
style D fill:#ff4444,color:#fff
style H fill:#ff4444,color:#fff
style K fill:#ff6600,color:#fff
style L1 fill:#cc0000,color:#fff
style L2 fill:#cc0000,color:#fff
style L3 fill:#cc0000,color:#fff
Detection Strategies
1. Immediate Log Review
Check all web server logs for requests to SetupWizard.aspx. Filter for POST requests especially.
# IIS Log filter (PowerShell example)
Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC1\*.log" -Pattern "SetupWizard.aspx"
2. EDR / Endpoint Process Monitoring
Configure your EDR or SIEM to alert on:
ScreenConnect.Service.exespawning any child processes- Any process running under the SYSTEM account that was not present before
- Outbound network connections from
ScreenConnect.Service.exe
3. New Account Auditing
Review ScreenConnect administration logs for any accounts created after the vulnerability disclosure date (February 19, 2024). Any account created during the vulnerability window and not recognized should be treated as attacker-created.
4. Network Traffic Analysis
Look for unusual outbound HTTPS connections from the ScreenConnect server — particularly to:
- IP addresses with no hostname
- Newly registered domains
- Domains or IPs with low reputation scores
5. Web Application Firewall Rules
Deploy WAF rules to:
- Block or alert on POST requests to
SetupWizard.aspxfrom external sources - Block requests with VIEWSTATE manipulation patterns
- Block extension upload requests from unauthorized sources
Remediation Steps
Priority 1 — Patch Immediately
| Action | Detail |
|---|---|
| Identify all ScreenConnect servers | Scan your environment; check with MSP/MSSP |
| Check current version | Versions below 23.9.0.8 are vulnerable |
| Apply patch | Upgrade to version 23.9.0.8 minimum |
| Verify patch success | Confirm updated version in admin console |
Priority 2 — Assess for Compromise
| Action | Detail |
|---|---|
| Review web logs | Search for POST requests to SetupWizard.aspx |
| Check for unauthorized accounts | Review all admin accounts in ScreenConnect |
| Review extensions | Audit all installed extensions for unexpected entries |
| Check process history | Search EDR/Windows logs for ScreenConnect spawning shells |
| Network review | Check firewall logs for unexpected outbound connections |
Priority 3 — Contain and Eradicate (If Compromised)
| Action | Detail |
|---|---|
| Isolate the server | Remove from network or block internet access immediately |
| Revoke credentials | Delete all unauthorized admin accounts |
| Remove malicious extensions | Identify and remove any unknown extensions |
| Reset all service credentials | Rotate passwords for all service accounts |
| Hunt for lateral movement | Check all endpoints previously connected to the server |
| Check Active Directory | Review for unauthorized accounts, group policy changes, or persistence mechanisms |
| Deploy IR team | Engage incident response; document all findings |
Priority 4 — Harden Going Forward
| Action | Detail |
|---|---|
| WAF deployment | Implement WAF in front of all internet-facing web applications |
| Network segmentation | Restrict which hosts can reach the ScreenConnect server internally |
| Monitoring | Implement continuous monitoring for RMM software behavior |
| Access control | Apply MFA to ScreenConnect administration |
| Minimize exposure | Remove ScreenConnect from internet if direct access is not required; use VPN |
Post-Incident Response and Best Practices
Whether or not your organization was compromised, this incident provides a valuable opportunity to evaluate your security posture.
If You Were Compromised — Retrospective
- Review your detection timeline: How long did it take to detect the compromise? Minutes? Days? Weeks?
- Assess your response capability: Did your team have the playbooks, tools, and access needed to respond?
- Evaluate follow-on investigation: Were you able to identify all systems the attacker touched? Were you able to find all persistence mechanisms?
- Improve based on gaps: Document what worked and what didn’t; update playbooks accordingly.
If You Were Not Compromised — Preparedness Assessment
Use this incident as a tabletop exercise trigger:
- Do you have an inventory of all RMM tools in your environment? If ScreenConnect had been deployed without your knowledge, would you have found it?
- Do you have visibility into process execution on critical servers? Would you have seen
cmd.exespawning from a service? - Do you have web application firewall coverage? Would a WAF have blocked or alerted on the SetupWizard.aspx requests?
- Do you have playbooks for critical vulnerabilities? Can your team execute a patch-and-hunt operation within hours?
General Security Best Practices
| Practice | Why It Matters Here |
|---|---|
| Maintain asset inventory | You can’t protect what you don’t know you have |
| Patch management program | Critical vulnerabilities require patching within hours, not weeks |
| Web Application Firewall | Would have blocked or detected the initial POST exploit |
| Endpoint Detection and Response (EDR) | Detects abnormal process behavior (service spawning cmd.exe) |
| Network monitoring / NDR | Detects C2 beacon behavior |
| Security Information and Event Management (SIEM) | Centralizes log analysis for rapid IoC hunting |
| Incident Response playbooks | Pre-documented steps accelerate response time |
| MFA on all administrative interfaces | Would not stop this exploit but limits blast radius post-compromise |
| Principle of Least Privilege | ScreenConnect running as SYSTEM is a best-practice violation; limit service account privileges where possible |
| Threat Intelligence | Early warning on emerging vulnerabilities and PoC release |
CVE Reference Table
| Field | CVE-2024-1709 | CVE-2024-1708 |
|---|---|---|
| CVE ID | CVE-2024-1709 | CVE-2024-1708 |
| CVSS v3.1 Score | 10.0 | 8.4 |
| Severity | Critical | High |
| Vulnerability Type | Authentication Bypass | Path Traversal / Improper Limitation of Pathname |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | None | Low (via CVE-2024-1709) |
| User Interaction | None | None |
| Scope | Changed | Unchanged |
| Confidentiality Impact | High | High |
| Integrity Impact | High | High |
| Availability Impact | High | High |
| Affected Product | ConnectWise ScreenConnect < 23.9.0.8 (on-prem) | ConnectWise ScreenConnect < 23.9.0.8 (on-prem) |
| Patched Version | 23.9.0.8 | 23.9.0.8 |
| Disclosed | February 19, 2024 | February 19, 2024 |
| Public PoC Available | Yes (same day) | Yes (chained with CVE-2024-1709) |
| Exploited in the Wild | Yes (confirmed) | Yes (chained) |
Attack Flow Diagram
flowchart LR
subgraph RECON["Phase 1: Reconnaissance"]
R1[Shodan / Censys Scan] --> R2[Identify ScreenConnect\non port 8040/443]
end
subgraph INITIAL["Phase 2: Initial Access"]
I1[POST /SetupWizard.aspx\nVIEWSTATE exploit] --> I2[New Admin Account\nCreated on Server]
end
subgraph EXEC["Phase 3: Execution"]
E1[Authenticate as\nnew admin] --> E2[Upload malicious\n.NET extension]
E2 --> E3[RCE as SYSTEM\non host]
end
subgraph PERSIST["Phase 4: Persistence"]
P1[Deploy Cobalt Strike\nor C2 agent]
P2[C2 beacon over\nHTTPS port 443]
P1 --> P2
end
subgraph IMPACT["Phase 5: Impact"]
IM1[Lateral movement\nto managed endpoints]
IM2[AD compromise\ncredential harvesting]
IM3[Ransomware\ndeployment]
end
RECON --> INITIAL
INITIAL --> EXEC
EXEC --> PERSIST
PERSIST --> IMPACT
Vulnerability Technical Diagram
flowchart TD
subgraph SC["ScreenConnect Server (On-Premises)"]
WEB[Web Interface\nASP.NET / IIS]
SETUP[SetupWizard.aspx\nEndpoint - VULNERABLE]
AUTH[Authentication\nSubsystem]
EXT[Extension Manager\n.NET Code Execution]
SVC[ScreenConnect Service\nRunning as SYSTEM]
AGENT[Connected Agents\nHundreds to Thousands of Endpoints]
end
ATK([Attacker]) -->|"CVE-2024-1709\nPOST with crafted VIEWSTATE"| SETUP
SETUP -->|"Bypasses"| AUTH
AUTH -->|"Creates attacker-controlled\nadmin account"| ATK
ATK -->|"Authenticated request\nupload malicious extension"| EXT
EXT -->|"CVE-2024-1708\nPath traversal to write extension"| SVC
SVC -->|"Code execution as SYSTEM"| ATK
SVC -->|"Manages"| AGENT
ATK -->|"Lateral movement\nvia hijacked ScreenConnect"| AGENT
style SETUP fill:#ff4444,color:#fff
style AUTH fill:#ff6600,color:#fff
style SVC fill:#ff4444,color:#fff
style ATK fill:#880000,color:#fff
Detection and Response Checklist
Immediate Actions (Within 24 Hours)
- Identify all ScreenConnect / ConnectWise instances in your environment
- Determine which instances are on-premises vs. cloud-hosted
- Check version numbers on all on-premises instances
- Patch all on-premises instances to version 23.9.0.8 or later immediately
- Review web server logs for POST requests to
SetupWizard.aspx - Audit all administrator accounts in ScreenConnect — remove any unrecognized accounts
- Audit all installed extensions — remove any unrecognized extensions
Hunt for Compromise (Within 48 Hours)
- Search EDR/endpoint logs for
ScreenConnect.Service.exespawningcmd.exeor PowerShell - Review firewall/proxy logs for unusual outbound HTTPS connections from the ScreenConnect server
- Search SIEM for the three IP-based IoCs provided by ConnectWise advisory
- Review Windows Security Event Log for new account creation events (Event ID 4720)
- Review Windows Security Event Log for privilege escalation events (Event ID 4672)
- Check for new scheduled tasks or services created around the compromise window
If Compromise Is Confirmed
- Isolate the ScreenConnect server from the network
- Preserve memory dump and disk image for forensic analysis
- Notify all clients/customers connected through the compromised server
- Begin Active Directory review — look for new accounts, changed GPOs, DCSync activity
- Enumerate all endpoints the compromised server had connections to
- Engage incident response team or MSSP
- File report with relevant authorities / CISA if applicable
- Document timeline of compromise and response
Hardening (Ongoing)
- Deploy WAF rules to block
SetupWizard.aspxPOST requests from external IPs - Implement network segmentation to limit access to ScreenConnect server internally
- Enable MFA on ScreenConnect administrator accounts
- Configure SIEM alert for ScreenConnect spawning child processes
- Review and document all RMM tools in use across the environment
- Establish a vulnerability patch SLA for critical severity items (target: < 24 hours)
- Subscribe to ConnectWise security advisories
MITRE ATT&CK Mapping
| ATT&CK Tactic | Technique | Technique ID | Description |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | Authentication bypass via POST to SetupWizard.aspx |
| Execution | Server Software Component: Web Shell / Extension | T1505 | Malicious .NET extension upload and execution |
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 | ScreenConnect service spawning cmd.exe |
| Privilege Escalation | Exploit for Privilege Escalation | T1068 | Service running as SYSTEM executes attacker code |
| Defense Evasion | Masquerading | T1036 | Using legitimate ScreenConnect extension mechanism for malicious code |
| Persistence | Create Account | T1136 | Creating new admin account via authentication bypass |
| Persistence | Server Software Component | T1505 | Malicious extension provides persistent code execution |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | C2 beacon over HTTPS on port 443 |
| Command and Control | Remote Access Software | T1219 | ScreenConnect itself used as C2 after compromise |
| Lateral Movement | Remote Services | T1021 | Lateral movement to connected managed endpoints |
| Impact | Data Encrypted for Impact | T1486 | Ransomware deployment across managed endpoints |
| Collection | Remote System Discovery | T1018 | Enumerating endpoints connected to ScreenConnect |
This document covers the ConnectWise ScreenConnect vulnerabilities CVE-2024-1709 and CVE-2024-1708, publicly disclosed on February 19, 2024.
Search Terms
connectwise · screenconnect · vulnerability · know · briefings · networking · systems · security · attack · compromise · ioc · priority · compromised · log · assessment · detection · diagram · hours · immediate · response · web · within