Advanced

ConnectWise ScreenConnect Vulnerability - What You Should Know

Critical security advisory covering CVE-2024-1709 (CVSS 10.0) and CVE-2024-1708 (CVSS 8.4) — authentication bypass and path traversal vulnerabilities in ConnectWise ScreenConnect.

Critical security advisory covering CVE-2024-1709 (CVSS 10.0) and CVE-2024-1708 (CVSS 8.4) — authentication bypass and path traversal vulnerabilities in ConnectWise ScreenConnect.


Table of Contents

  1. Module 1: Overview
  2. Module 2: Detect and Respond
  3. CVE Reference Table
  4. Attack Flow Diagram
  5. Vulnerability Technical Diagram
  6. Detection and Response Checklist
  7. MITRE ATT&CK Mapping

Module 1: Overview

What Is ConnectWise ScreenConnect?

ConnectWise is an IT service management platform primarily used for managing remote access servers and VPNs. Their product ScreenConnect is a remote access and management solution that:

  • Securely manages computers, devices, networks, and endpoints
  • Allows IT professionals to remotely log in to computers
  • Manages configurations including patches, file management, and registry editors
  • Includes powerful security features such as:
    • Print protection
    • Ransomware detection
    • Auditing and compliance features

Because of its deep administrative capabilities, if an attacker gains access to ScreenConnect, the consequences are severe — full administrative control over all connected endpoints becomes accessible.

ScreenConnect is used extensively by Managed Service Providers (MSPs), which makes it a particularly high-value target: compromising a single MSP’s ScreenConnect server can cascade into attacks against every client and endpoint that MSP manages.


The Two Vulnerabilities

Two distinct vulnerabilities were disclosed, and they are most dangerous when used together:

CVETypeCVSS ScoreSeverity
CVE-2024-1709Authentication Bypass10.0Critical
CVE-2024-1708Path Traversal8.4High

As noted by the security firm Huntress in their analysis:

“This is not a vulnerability but a feature of ScreenConnect which allows an administrator to create extensions that execute .NET code as SYSTEM on the ScreenConnect server.”

However, this statement refers only to the extension execution capability in isolation. The full attack chain — authentication bypass combined with the path traversal/extension execution — transforms that feature into a full-blown remote code execution exploit requiring no prior authentication.


How the Attack Works

The exploit chain is composed of two sequential steps:

Step 1 — Authentication Bypass (CVE-2024-1709)

An attacker sends a crafted HTTP POST request to the SetupWizard.aspx endpoint. By manipulating the VIEWSTATE generator parameter within that request, they can force the server to create a new administrator username and password. This effectively gives the attacker full administrative credentials without needing any existing account.

This step is trivially automated. Proof-of-concept exploit code using Python to construct and send the POST message was publicly released on the same day the advisory was published (February 19, 2024).

Step 2 — Remote Code Execution via Extension Upload (CVE-2024-1708)

Using the newly created administrator credentials from Step 1, the attacker authenticates to the ScreenConnect administration panel and creates a malicious application extension. This extension contains arbitrary .NET code. Because the ScreenConnect service runs as SYSTEM, this code executes with the highest privilege level on the host machine.

The attacker now has unauthenticated remote code execution as SYSTEM on any vulnerable ScreenConnect server.

sequenceDiagram
    participant A as Attacker
    participant S as ScreenConnect Server
    participant W as Windows (SYSTEM)

    A->>S: POST /SetupWizard.aspx<br/>(crafted VIEWSTATE payload)
    S-->>A: 200 OK — Setup wizard re-opened
    A->>S: Create new admin user (attacker-controlled credentials)
    S-->>A: Admin account created
    A->>S: Authenticate with new admin credentials
    S-->>A: Authenticated session
    A->>S: Upload malicious .NET extension via API
    S->>W: Execute extension code as SYSTEM
    W-->>A: Remote shell / C2 beacon established

Affected Versions

Only on-premises installations are affected. Cloud-hosted instances were patched by ConnectWise before public disclosure.

Deployment TypeAffected?Action Required
Cloud-hosted (ConnectWise-managed)No — already patchedNone
On-premises (self-hosted)Yes — all versions below 23.9.0.8Patch immediately

Recommended action: Update all on-premises ScreenConnect servers to version 23.9.0.8 or later immediately.

ConnectWise also provided backported patches for older versions (23.9.0.7 and below), but the strong recommendation is to upgrade to the most recent release (23.9.0.8).

Note: As part of the emergency response, ConnectWise removed license restrictions for partners no longer under active maintenance contracts, enabling them to apply the patch even if their license had lapsed.


Scope and Business Impact

Using internet scanning tools (such as Shodan), researchers found 8,000 to 10,000 internet-facing ScreenConnect instances — and the actual number is likely higher, as Shodan limits results to 10,000 entries.

The true impact extends far beyond those servers:

  • Each ScreenConnect server may manage hundreds or thousands of agent connections (remote endpoints).
  • MSPs are the primary user base — compromising one MSP server grants access to all their clients’ environments.
  • Threat actors can use compromised ScreenConnect servers as a pivot point to:
    • Deploy ransomware across all managed endpoints
    • Steal credentials and sensitive data
    • Establish persistent command-and-control (C2) infrastructure

This vulnerability was described by Huntress as a “ransomware free for all” — providing exceptionally low-hanging fruit for opportunistic threat actors.


CISA and NSA Advisories Context

It is important to distinguish between two related but different threat scenarios involving ScreenConnect and similar Remote Monitoring and Management (RMM) tools:

Scenario A — Existing advisories (2023): CISA and NSA previously issued advisories warning that threat actors were installing legitimate RMM tools (including ScreenConnect, AnyDesk, etc.) as part of their post-compromise toolkit. After gaining initial access through phishing or other vulnerabilities, attackers deploy RMM software to establish a persistent, management-grade connection into the compromised environment, and then use it to rapidly deploy ransomware.

Scenario B — These vulnerabilities (2024): CVE-2024-1709 and CVE-2024-1708 are different — they allow an external attacker with no prior access to use ScreenConnect itself as the initial access vector. No phishing, no prior foothold required.

Both scenarios remain active threats. The 2023 advisories about RMM misuse remain relevant even for organizations that have already patched CVE-2024-1709/1708.


Active Exploitation in the Wild

ConnectWise initially stated there were no confirmed attacks following disclosure. They subsequently updated their advisory to confirm compromised accounts were reported.

Independent security firms also confirmed exploitation:

  • Sophos confirmed observed attacks against servers and client machines, including post-patch exploitation (attackers were still exploiting unpatched servers).
  • Huntress released a proof-of-concept on the same day as the advisory and noted widespread opportunistic exploitation activity.

The vulnerability was being actively exploited in the wild within hours of public disclosure.


Module 2: Detect and Respond

Risk Assessment and CVSS Scores

CVECVSS ScoreVectorKey Risk Factors
CVE-2024-170910.0 (Critical)Network / No Auth / No User InteractionHighest possible score; trivial to exploit; public PoC available; pre-authentication
CVE-2024-17088.4 (High)Network / Low Auth / No User InteractionHigh impact; requires auth (provided by CVE-2024-1709); leads to arbitrary code execution as SYSTEM

A CVSS score of 10.0 represents the absolute worst-case classification. This indicates:

  • Complete confidentiality impact — all data accessible
  • Complete integrity impact — all data modifiable
  • Complete availability impact — system can be fully disrupted
  • No authentication required
  • No user interaction required
  • Remotely exploitable over the network

Attack Surface Considerations

The risk is not limited to internet-facing deployments. Two distinct attack scenarios exist:

External Threat (Internet-Exposed Servers)

If the ScreenConnect service is publicly accessible on the internet, opportunistic threat actors continuously scanning the internet will detect it and exploit it rapidly. With public PoC code available, this process is nearly instantaneous after scanning.

Internal Threat (Laterally Accessible Servers)

Even if ScreenConnect is not internet-facing, an attacker who is already inside the network — through phishing, compromised credentials, MSSP access, or another exploit — can target the ScreenConnect server to:

  • Escalate privileges to SYSTEM
  • Move laterally to all machines managed by ScreenConnect
  • Access systems and accounts previously out of reach

The takeaway: No deployment of ScreenConnect below version 23.9.0.8 is safe, regardless of network exposure.


Indicators of Compromise (IoCs)

ConnectWise’s initial advisory listed three IP addresses as IoCs. These IP-based indicators are of limited value because threat actors can trivially change their IP addresses or use large pools of addresses simultaneously.

More reliable and actionable IoCs are behavioral and log-based:

IoC 1 — Web Log: Requests to SetupWizard.aspx

POST /SetupWizard.aspx HTTP/1.1
Host: <ScreenConnect-server>
Content-Type: application/x-www-form-urlencoded

__VIEWSTATE=<malicious-payload>&...

Any request to SetupWizard.aspx on a fully configured system is suspicious. This endpoint should only be accessed during initial setup. Look for it in:

  • IIS logs
  • Apache access logs
  • Elastic Load Balancer logs
  • Azure/cloud proxy logs

IoC 2 — Extension Creation and Plugin ID

Following a successful authentication bypass, the attacker creates a malicious application extension. Look for:

  • New extension registration events
  • Unexpected plugin IDs added to the ScreenConnect configuration
  • Unusual entries in the ScreenConnect extension database

IoC 3 — ConnectWise Service Spawning cmd.exe

The most definitive indicator of compromise:

Parent Process: ScreenConnect.Service.exe (or ConnectWise.exe)
Child Process:  cmd.exe

Under normal operation, the ScreenConnect service should never spawn a command shell. If you observe this parent-child process relationship in Windows Event Logs or EDR telemetry, the system is compromised.

Similarly, watch for the ScreenConnect service spawning any of:

  • powershell.exe
  • wscript.exe
  • cscript.exe
  • mshta.exe
  • rundll32.exe

IoC 4 — Outbound C2 Communications

After initial code execution, attackers typically deploy a persistent C2 agent (e.g., Cobalt Strike) to maintain access independent of the exploited vulnerability. Watch for:

  • Unexpected outbound HTTPS connections on port 443 from the ScreenConnect server
  • Beaconing behavior (periodic connections at regular intervals)
  • Connections to newly registered or suspicious domains
  • Connections to IP addresses with no DNS name
IoC TypeWhat to Look ForWhere to Look
Web RequestPOST to SetupWizard.aspxWeb server logs (IIS/Apache/ALB)
ExtensionNew plugin/extension creationScreenConnect application logs
ProcessScreenConnect.Service.execmd.exeWindows Event Logs, EDR/XDR
NetworkOutbound HTTPS from server on port 443Firewall logs, network monitoring
AuthNew admin accounts created unexpectedlyScreenConnect admin audit logs

Attack Chain and Log Evidence

flowchart TD
    A([Threat Actor]) --> B[Internet Scan via Shodan/Censys\nIdentify exposed ScreenConnect servers]
    B --> C[Send POST to /SetupWizard.aspx\nwith crafted VIEWSTATE payload]
    C --> D{Auth Bypass\nCVE-2024-1709}
    D -->|Success| E[New admin credentials created]
    E --> F[Authenticate to ScreenConnect admin panel]
    F --> G[Upload malicious .NET extension\nPath Traversal / CVE-2024-1708]
    G --> H[Extension executes as SYSTEM\non ScreenConnect host]
    H --> I[Stage 1: Initial Execution\ncmd.exe / PowerShell spawned by service]
    I --> J[Stage 2: Deploy C2 Agent\ne.g. Cobalt Strike beacon over HTTPS port 443]
    J --> K[Persistent Access Established]
    K --> L1[Lateral Movement\nto connected managed endpoints]
    K --> L2[Credential Harvesting\nActive Directory attack]
    K --> L3[Ransomware Deployment\nacross all managed clients]

    style D fill:#ff4444,color:#fff
    style H fill:#ff4444,color:#fff
    style K fill:#ff6600,color:#fff
    style L1 fill:#cc0000,color:#fff
    style L2 fill:#cc0000,color:#fff
    style L3 fill:#cc0000,color:#fff

Detection Strategies

1. Immediate Log Review

Check all web server logs for requests to SetupWizard.aspx. Filter for POST requests especially.

# IIS Log filter (PowerShell example)
Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC1\*.log" -Pattern "SetupWizard.aspx"

2. EDR / Endpoint Process Monitoring

Configure your EDR or SIEM to alert on:

  • ScreenConnect.Service.exe spawning any child processes
  • Any process running under the SYSTEM account that was not present before
  • Outbound network connections from ScreenConnect.Service.exe

3. New Account Auditing

Review ScreenConnect administration logs for any accounts created after the vulnerability disclosure date (February 19, 2024). Any account created during the vulnerability window and not recognized should be treated as attacker-created.

4. Network Traffic Analysis

Look for unusual outbound HTTPS connections from the ScreenConnect server — particularly to:

  • IP addresses with no hostname
  • Newly registered domains
  • Domains or IPs with low reputation scores

5. Web Application Firewall Rules

Deploy WAF rules to:

  • Block or alert on POST requests to SetupWizard.aspx from external sources
  • Block requests with VIEWSTATE manipulation patterns
  • Block extension upload requests from unauthorized sources

Remediation Steps

Priority 1 — Patch Immediately

ActionDetail
Identify all ScreenConnect serversScan your environment; check with MSP/MSSP
Check current versionVersions below 23.9.0.8 are vulnerable
Apply patchUpgrade to version 23.9.0.8 minimum
Verify patch successConfirm updated version in admin console

Priority 2 — Assess for Compromise

ActionDetail
Review web logsSearch for POST requests to SetupWizard.aspx
Check for unauthorized accountsReview all admin accounts in ScreenConnect
Review extensionsAudit all installed extensions for unexpected entries
Check process historySearch EDR/Windows logs for ScreenConnect spawning shells
Network reviewCheck firewall logs for unexpected outbound connections

Priority 3 — Contain and Eradicate (If Compromised)

ActionDetail
Isolate the serverRemove from network or block internet access immediately
Revoke credentialsDelete all unauthorized admin accounts
Remove malicious extensionsIdentify and remove any unknown extensions
Reset all service credentialsRotate passwords for all service accounts
Hunt for lateral movementCheck all endpoints previously connected to the server
Check Active DirectoryReview for unauthorized accounts, group policy changes, or persistence mechanisms
Deploy IR teamEngage incident response; document all findings

Priority 4 — Harden Going Forward

ActionDetail
WAF deploymentImplement WAF in front of all internet-facing web applications
Network segmentationRestrict which hosts can reach the ScreenConnect server internally
MonitoringImplement continuous monitoring for RMM software behavior
Access controlApply MFA to ScreenConnect administration
Minimize exposureRemove ScreenConnect from internet if direct access is not required; use VPN

Post-Incident Response and Best Practices

Whether or not your organization was compromised, this incident provides a valuable opportunity to evaluate your security posture.

If You Were Compromised — Retrospective

  1. Review your detection timeline: How long did it take to detect the compromise? Minutes? Days? Weeks?
  2. Assess your response capability: Did your team have the playbooks, tools, and access needed to respond?
  3. Evaluate follow-on investigation: Were you able to identify all systems the attacker touched? Were you able to find all persistence mechanisms?
  4. Improve based on gaps: Document what worked and what didn’t; update playbooks accordingly.

If You Were Not Compromised — Preparedness Assessment

Use this incident as a tabletop exercise trigger:

  • Do you have an inventory of all RMM tools in your environment? If ScreenConnect had been deployed without your knowledge, would you have found it?
  • Do you have visibility into process execution on critical servers? Would you have seen cmd.exe spawning from a service?
  • Do you have web application firewall coverage? Would a WAF have blocked or alerted on the SetupWizard.aspx requests?
  • Do you have playbooks for critical vulnerabilities? Can your team execute a patch-and-hunt operation within hours?

General Security Best Practices

PracticeWhy It Matters Here
Maintain asset inventoryYou can’t protect what you don’t know you have
Patch management programCritical vulnerabilities require patching within hours, not weeks
Web Application FirewallWould have blocked or detected the initial POST exploit
Endpoint Detection and Response (EDR)Detects abnormal process behavior (service spawning cmd.exe)
Network monitoring / NDRDetects C2 beacon behavior
Security Information and Event Management (SIEM)Centralizes log analysis for rapid IoC hunting
Incident Response playbooksPre-documented steps accelerate response time
MFA on all administrative interfacesWould not stop this exploit but limits blast radius post-compromise
Principle of Least PrivilegeScreenConnect running as SYSTEM is a best-practice violation; limit service account privileges where possible
Threat IntelligenceEarly warning on emerging vulnerabilities and PoC release

CVE Reference Table

FieldCVE-2024-1709CVE-2024-1708
CVE IDCVE-2024-1709CVE-2024-1708
CVSS v3.1 Score10.08.4
SeverityCriticalHigh
Vulnerability TypeAuthentication BypassPath Traversal / Improper Limitation of Pathname
Attack VectorNetworkNetwork
Attack ComplexityLowLow
Privileges RequiredNoneLow (via CVE-2024-1709)
User InteractionNoneNone
ScopeChangedUnchanged
Confidentiality ImpactHighHigh
Integrity ImpactHighHigh
Availability ImpactHighHigh
Affected ProductConnectWise ScreenConnect < 23.9.0.8 (on-prem)ConnectWise ScreenConnect < 23.9.0.8 (on-prem)
Patched Version23.9.0.823.9.0.8
DisclosedFebruary 19, 2024February 19, 2024
Public PoC AvailableYes (same day)Yes (chained with CVE-2024-1709)
Exploited in the WildYes (confirmed)Yes (chained)

Attack Flow Diagram

flowchart LR
    subgraph RECON["Phase 1: Reconnaissance"]
        R1[Shodan / Censys Scan] --> R2[Identify ScreenConnect\non port 8040/443]
    end

    subgraph INITIAL["Phase 2: Initial Access"]
        I1[POST /SetupWizard.aspx\nVIEWSTATE exploit] --> I2[New Admin Account\nCreated on Server]
    end

    subgraph EXEC["Phase 3: Execution"]
        E1[Authenticate as\nnew admin] --> E2[Upload malicious\n.NET extension]
        E2 --> E3[RCE as SYSTEM\non host]
    end

    subgraph PERSIST["Phase 4: Persistence"]
        P1[Deploy Cobalt Strike\nor C2 agent]
        P2[C2 beacon over\nHTTPS port 443]
        P1 --> P2
    end

    subgraph IMPACT["Phase 5: Impact"]
        IM1[Lateral movement\nto managed endpoints]
        IM2[AD compromise\ncredential harvesting]
        IM3[Ransomware\ndeployment]
    end

    RECON --> INITIAL
    INITIAL --> EXEC
    EXEC --> PERSIST
    PERSIST --> IMPACT

Vulnerability Technical Diagram

flowchart TD
    subgraph SC["ScreenConnect Server (On-Premises)"]
        WEB[Web Interface\nASP.NET / IIS]
        SETUP[SetupWizard.aspx\nEndpoint - VULNERABLE]
        AUTH[Authentication\nSubsystem]
        EXT[Extension Manager\n.NET Code Execution]
        SVC[ScreenConnect Service\nRunning as SYSTEM]
        AGENT[Connected Agents\nHundreds to Thousands of Endpoints]
    end

    ATK([Attacker]) -->|"CVE-2024-1709\nPOST with crafted VIEWSTATE"| SETUP
    SETUP -->|"Bypasses"| AUTH
    AUTH -->|"Creates attacker-controlled\nadmin account"| ATK
    ATK -->|"Authenticated request\nupload malicious extension"| EXT
    EXT -->|"CVE-2024-1708\nPath traversal to write extension"| SVC
    SVC -->|"Code execution as SYSTEM"| ATK
    SVC -->|"Manages"| AGENT
    ATK -->|"Lateral movement\nvia hijacked ScreenConnect"| AGENT

    style SETUP fill:#ff4444,color:#fff
    style AUTH fill:#ff6600,color:#fff
    style SVC fill:#ff4444,color:#fff
    style ATK fill:#880000,color:#fff

Detection and Response Checklist

Immediate Actions (Within 24 Hours)

  • Identify all ScreenConnect / ConnectWise instances in your environment
  • Determine which instances are on-premises vs. cloud-hosted
  • Check version numbers on all on-premises instances
  • Patch all on-premises instances to version 23.9.0.8 or later immediately
  • Review web server logs for POST requests to SetupWizard.aspx
  • Audit all administrator accounts in ScreenConnect — remove any unrecognized accounts
  • Audit all installed extensions — remove any unrecognized extensions

Hunt for Compromise (Within 48 Hours)

  • Search EDR/endpoint logs for ScreenConnect.Service.exe spawning cmd.exe or PowerShell
  • Review firewall/proxy logs for unusual outbound HTTPS connections from the ScreenConnect server
  • Search SIEM for the three IP-based IoCs provided by ConnectWise advisory
  • Review Windows Security Event Log for new account creation events (Event ID 4720)
  • Review Windows Security Event Log for privilege escalation events (Event ID 4672)
  • Check for new scheduled tasks or services created around the compromise window

If Compromise Is Confirmed

  • Isolate the ScreenConnect server from the network
  • Preserve memory dump and disk image for forensic analysis
  • Notify all clients/customers connected through the compromised server
  • Begin Active Directory review — look for new accounts, changed GPOs, DCSync activity
  • Enumerate all endpoints the compromised server had connections to
  • Engage incident response team or MSSP
  • File report with relevant authorities / CISA if applicable
  • Document timeline of compromise and response

Hardening (Ongoing)

  • Deploy WAF rules to block SetupWizard.aspx POST requests from external IPs
  • Implement network segmentation to limit access to ScreenConnect server internally
  • Enable MFA on ScreenConnect administrator accounts
  • Configure SIEM alert for ScreenConnect spawning child processes
  • Review and document all RMM tools in use across the environment
  • Establish a vulnerability patch SLA for critical severity items (target: < 24 hours)
  • Subscribe to ConnectWise security advisories

MITRE ATT&CK Mapping

ATT&CK TacticTechniqueTechnique IDDescription
Initial AccessExploit Public-Facing ApplicationT1190Authentication bypass via POST to SetupWizard.aspx
ExecutionServer Software Component: Web Shell / ExtensionT1505Malicious .NET extension upload and execution
ExecutionCommand and Scripting Interpreter: Windows Command ShellT1059.003ScreenConnect service spawning cmd.exe
Privilege EscalationExploit for Privilege EscalationT1068Service running as SYSTEM executes attacker code
Defense EvasionMasqueradingT1036Using legitimate ScreenConnect extension mechanism for malicious code
PersistenceCreate AccountT1136Creating new admin account via authentication bypass
PersistenceServer Software ComponentT1505Malicious extension provides persistent code execution
Command and ControlApplication Layer Protocol: Web ProtocolsT1071.001C2 beacon over HTTPS on port 443
Command and ControlRemote Access SoftwareT1219ScreenConnect itself used as C2 after compromise
Lateral MovementRemote ServicesT1021Lateral movement to connected managed endpoints
ImpactData Encrypted for ImpactT1486Ransomware deployment across managed endpoints
CollectionRemote System DiscoveryT1018Enumerating endpoints connected to ScreenConnect

This document covers the ConnectWise ScreenConnect vulnerabilities CVE-2024-1709 and CVE-2024-1708, publicly disclosed on February 19, 2024.


Search Terms

connectwise · screenconnect · vulnerability · know · briefings · networking · systems · security · attack · compromise · ioc · priority · compromised · log · assessment · detection · diagram · hours · immediate · response · web · within

More Vulnerability Briefings courses

View all 30

Interested in this course?

Contact us to book it or get a custom training plan for your team.