CVE-2024-1709

What is ConnectWise ScreenConnect?

ConnectWise ScreenConnect (formerly Control) is a remote desktop and remote access platform used by managed service providers (MSPs), IT support teams, and enterprises to remotely control endpoints, deliver helpdesk support, and run unattended remote sessions. Because MSPs use ScreenConnect to manage the networks of multiple client organizations, a compromised ScreenConnect server gives an attacker a foothold into every organization the MSP serves — making ScreenConnect servers extremely high-value targets for ransomware operators and supply-chain attackers.

Overview

CVE-2024-1709 is an authentication bypass vulnerability in ConnectWise ScreenConnect that allows an unauthenticated remote attacker to create a new administrator-level account on the ScreenConnect server, achieving full control of the instance without any existing credentials. With CVSS 10.0, it was immediately and massively exploited — CISA added it to the KEV catalog one day after CVE publication, with a seven-day remediation deadline that reflected the speed of active exploitation. The vulnerability is often described alongside CVE-2024-1708 (a path traversal enabling file write as a lower-privileged user), but CVE-2024-1709 alone provides unauthenticated admin access sufficient for complete server takeover.

Affected Versions

Cloud-hosted ConnectWise ScreenConnect instances were patched by ConnectWise before the advisory was published. On-premises deployments required manual update.

Technical Details

CWE-288 (Authentication Bypass Using an Alternate Path or Channel). ScreenConnect's setup wizard — the first-run configuration interface that creates the initial admin account — can be accessed via a specific URL path even after initial setup is complete. The wizard path is not gated by any authentication check on already-configured instances. An attacker who sends a request to the setup endpoint can create a new administrator account on an existing, fully deployed ScreenConnect server, bypassing all authentication requirements.

This class of vulnerability (setup/install endpoint not disabled post-setup) is conceptually simple but catastrophically impactful: the attacker uses the server's own administrative provisioning path to inject a rogue administrator, then leverages that admin account to:

1. Access all remote sessions and connected endpoints.
2. Deploy malicious agents or scripts to managed endpoints.
3. Export credential data from the ScreenConnect database.
4. Use the MSP's trusted channel to push ransomware or backdoors to client networks.

Discovery

Reported to ConnectWise, which released ScreenConnect 23.9.8 on February 19, 2024. Security firm Huntress published a detailed analysis hours after the advisory, describing the vulnerability as "catastrophic" and noting that public proof-of-concept exploits appeared within 24 hours.

Exploitation Context

CVE-2024-1709 was exploited at scale within hours of disclosure. Ransomware operators — including groups deploying LockBit, Cl0p, and other strains — were among the first to weaponize it, using compromised MSP ScreenConnect servers as a launchpad to push ransomware to dozens of downstream client organizations simultaneously. The MSP supply-chain attack vector makes the real-world impact multiplicative: each compromised ScreenConnect server touches multiple victim organizations. Huntress, Sophos, and other security vendors reported mass exploitation activity within the first 72 hours, making this one of the most quickly and broadly exploited vulnerabilities of 2024.

Remediation

1. Update ConnectWise ScreenConnect to version 23.9.8 or later immediately. ConnectWise released the patch before public disclosure — any delay represents ongoing exposure.
2. Cloud-hosted ScreenConnect instances were patched automatically by ConnectWise; verify the version in the admin console.
3. After patching, audit all administrator accounts on the ScreenConnect server and remove any accounts not recognized by your team — they may have been created by attackers.
4. Review ScreenConnect session logs for unauthorized remote sessions opened during the window of exposure.
5. If MSP-operated: notify downstream clients of potential exposure and initiate incident response procedures to check for post-exploitation activity (new user accounts, scheduled tasks, deployed malware) on managed endpoints.
6. Restrict ScreenConnect management interface access to known IP ranges and require MFA for all admin accounts.