CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-1709

Critical Severity
Connectwise
SVRS
98/100
CVSSv3
10.0/10
EPSS
0.94364/1

CVE-2024-1709 is a critical authentication bypass vulnerability affecting ConnectWise ScreenConnect versions 23.9.7 and earlier. This flaw allows attackers to bypass normal authentication procedures potentially granting them unauthorized access to sensitive data and critical systems. With a SOCRadar Vulnerability Risk Score (SVRS) of 98, this vulnerability is deemed extremely critical and requires immediate attention. Active exploits are available and the vulnerability has been observed in the wild, being actively used in ransomware campaigns, indicating a high risk of exploitation. Organizations using affected versions of ConnectWise ScreenConnect should immediately apply the necessary patches or mitigation measures. The severity of CVE-2024-1709 is amplified by its presence in the CISA KEV catalog, making it a high-priority target for threat actors and demanding swift remediation. This vulnerability represents a significant threat due to the potential for complete system compromise and data exfiltration.

TAGS
In The Wild
Known Ransomware Campaign Use
Exploit Avaliable
CISA KEV
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:N
S:C
C:H
I:H
A:H
PUBLICATION DATE2024-02-21
LAST MODIFIED2025-01-27
Eye Icon
SOCRadar
AI Insight

Description:

CVE-2024-1709 is a critical vulnerability in ConnectWise ScreenConnect 23.9.7 and prior versions. It allows an attacker to bypass authentication and gain direct access to confidential information or critical systems. The SVRS score of 64 indicates a high severity level, urging immediate action to address the threat.

Key Insights:

  1. Authentication Bypass: This vulnerability enables an attacker to bypass authentication mechanisms, potentially leading to unauthorized access to sensitive data, systems, or resources.
  2. Confidentiality and Integrity Compromise: Exploitation of this vulnerability could result in the compromise of confidential information, leading to data breaches, financial losses, or reputational damage.
  3. Critical Systems at Risk: The vulnerability affects critical systems, increasing the potential impact and severity of an attack.

Mitigation Strategies:

  1. Update Software: Apply the latest software updates and patches provided by ConnectWise to address the vulnerability.
  2. Implement Strong Authentication: Enhance authentication mechanisms by enforcing multi-factor authentication (MFA) and strong passwords to prevent unauthorized access.
  3. Network Segmentation: Implement network segmentation to limit the attacker's access to critical systems and data in case of a successful breach.
  4. Security Awareness Training: Educate employees about the vulnerability and its potential consequences, emphasizing the importance of cybersecurity best practices.

Additional Information:

  • Threat Actors/APT Groups: There is no information available regarding specific threat actors or APT groups actively exploiting this vulnerability.
  • Exploit Status: Active exploits have not been published yet.
  • CISA Warnings: The Cybersecurity and Infrastructure Security Agency (CISA) has not issued a warning for this vulnerability.
  • In the Wild: There is no evidence of this vulnerability being actively exploited in the wild.

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

TypeIndicatorDate
HASH
8451a678ff163930e3a62053aa1c929d2024-02-26
HASH
3ad14c01c8e84bb388c2ab0da6b4b1a130a8a60d2024-02-26
HASH
2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a2024-02-26
HASH
a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d02024-02-26
HASH
c94038781c56ab85d2f110db4f45b86ccf269e77a3ff4b9133b96745ff97d25f2024-02-26
HASH
944153fb9692634d6c70899b836765752024-02-26
HASH
341d43d4d5c2e526cadd88ae8da70c1c2024-02-26

Exploits

TitleSoftware LinkDate
codeb0ss/CVE-2024-1709-PoChttps://github.com/codeb0ss/CVE-2024-1709-PoC2024-05-24
Ostorlab/KEVhttps://github.com/Ostorlab/KEV2022-04-19
nomi-sec/PoC-in-GitHubhttps://github.com/nomi-sec/PoC-in-GitHub2019-12-08
xaitax/SploitScanhttps://github.com/xaitax/SploitScan2024-01-14
AhmedMansour93/Event-ID-229-Rule-Name-SOC262-CVE-2024-1709-https://github.com/AhmedMansour93/Event-ID-229-Rule-Name-SOC262-CVE-2024-1709-2024-09-12
ConnectWise ScreenConnect Authentication Bypass Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2024-17092024-02-22
watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-pochttps://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc2024-02-21
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

ISC StormCast for Thursday, February 22nd, 2024
Dr. Johannes B. Ullrich2024-02-22
ISC StormCast for Thursday, February 22nd, 2024 | Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Archive.org Phish; ScreenConnect PoC; Post Quantum iMessage;Phishing Pages Hosted on Archive.org https://isc.sans.edu/forums/diary/Phishing%20pages%20hosted%20on%20archive.org/30676/ ScreenConnect Authentication Bypass Exploit CVE-2024-1709 CVE-2024-1708) https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass iMessage with PQ3 https://security.apple.com/blog/imessage-pq3/
sans.edu
rss
forum
news
Angriffe gegen ConnectWise ScreenConnect
CERT.at2025-04-01
Angriffe gegen ConnectWise ScreenConnect | Die Remote Desktop und Access Software ConnectWise ScreenConnect ist aktuell Ziel von Cyberangriffen. Der Hersteller der Software hatte kürzlich ein Security Advisory bezüglich Authentication Bypass und Path Traversal Vulnerabilities veröffentlicht und dieses inzwischen um Hinweise auf bereits laufende Angriff und Indikatoren für eine bereits stattgefundene Kompromittierung erweitert. Wir selbst erhalten mittlerweile ebenso Meldungen zu diesen Angriffen. Sofern Sie diese Lösung einsetzen, empfehlen
cve-2024-1708
cve-2024-1709
security
software publisher
Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
Pierluigi Paganini2025-03-13
Medusa ransomware hit over 300 critical infrastructure organizations until February 2025 | The Medusa ransomware operation hit over 300 organizations in critical infrastructure sectors in the United States until February 2025. The FBI, CISA, and MS-ISAC have issued a joint advisory detailing Medusa ransomware tactics, techniques, and indicators of compromise (IOCs) based on FBI investigations as recent as February 2025. This advisory is part of the #StopRansomware […] The Medusa ransomware operation hit over 300
securityaffairs.co
rss
forum
news
#StopRansomware: Medusa Ransomware
CISA2025-03-12
#StopRansomware: Medusa Ransomware | Summary Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other
cisa.gov
rss
forum
news
Critical Authentication Bypass Vulnerability in ScreenConnect (CVE-2024-1709) | UpGuard
2025-01-17
Critical Authentication Bypass Vulnerability in ScreenConnect (CVE-2024-1709) | UpGuard | Cybercriminals can chain vulnerabilities in ScreenConnect, leveraging authentication bypass first and then moving through the system with path traversal.
upguard.com
rss
forum
news
23 Vulnerabilities in Black Basta’s Chat Logs Exploited in the Wild, Including PAN-OS, Cisco IOS, & Exchange
Guru Baran2025-02-27
23 Vulnerabilities in Black Basta’s Chat Logs Exploited in the Wild, Including PAN-OS, Cisco IOS, & Exchange | GreyNoise has confirmed active exploitation of 23 out of 62 vulnerabilities referenced in internal chat logs attributed to the Black Basta ransomware group. These vulnerabilities span enterprise software, security appliances, and widely deployed web applications, with several critical flaws exploited as recently as the past 24 hours. The findings underscore the persistent targeting of known […] The post 23 Vulnerabilities in Black Basta’s Chat
cybersecuritynews.com
rss
forum
news
Sandworm’s Evolving Cyber Threat: BadPilot Expands Global Reach
Shruti Jain ([email protected])2025-02-19
Sandworm’s Evolving Cyber Threat: BadPilot Expands Global Reach |  Sandworm, also known as Russia's Military Unit 74455 within the GRU, has established itself as one of the most notorious advanced persistent threats (APT). Its cyber operations have included NotPetya, the attack on the
blogger.com
rss
forum
news

Social Media

FBI & CISA Warn: Medusa Ransomware on the Rise🚨 Medusa exploits phishing, CVE-2024-1709, PowerShell abuse, obfuscated scripts, and reverse tunneling Mitigate by updating systems, segmenting networks, enforcing MFA, and backing up data. Advisory: https://t.co/7pvERODUgS https://t.co/j7eN08DUJd
0
0
0
Medusa Ransomware Hits 300+ U.S. Critical Infrastructure Orgs 🚨 Active since 2021, the gang exploits CVE-2024-1709 & CVE-2023-48788, using phishing & LOTL tactics for double & triple extortion. FBI & CISA warn—fortify defenses now! https://t.co/6w8vLZ1Kpo #CyberSecurity https://t.co/1hUtbro87a
0
0
0
CISA: More than 300 critical infrastructure orgs attacked by Medusa ransomware: exploiting CVE-2024-1709 — vulnerability impacting popular ScreenConnect remote access tool — as well as CVE-2023-48788, which affects products from security company Fortinet. https://t.co/3Dt2dnnQOK
0
1
1
Actively exploited CVE : CVE-2024-1709
1
0
0
CVE-2024-1709 and CVE-2023-48788 are being actively exploited in Russia’s BadPilot campaign, targeting vulnerable systems. More details: https://t.co/OAGZNVVgFK #CyberSecurity #ThreatIntel
0
0
0
CVE-2024-1709 and CVE-2023-48788: Exploits Fueling Russia's BadPilot Campaign Uncover the threats posed by Seashell Blizzard, a cyber espionage group behind the BadPilot campaign targeting critical sectors. https://t.co/1kXPYnTdMU
0
0
1
Just read about Sandworm's BadPilot campaign—global cyber attacks targeting energy, telecom, and governments. They've expanded from Ukraine to the US, UK, and more using exploits like CVE-2024-1709. Stay vigilant! #CyberSecurity #APT44 #StateSponsoredHacking #GlobalThreat
0
0
0
Interesting new Sandworm campaign shared by MTI Systems exploited by Sandworm were notable: • ConnectWise ScreenConnect (CVE-2024-1709) • Fortinet FortiClient EMS (CVE-2023-48788) Their change of targeting to the 🇺🇸 & 🇬🇧 is interesting too 👀 https://t.co/kfgYX30ctD
1
5
10
Threat Intelligence and Product Vulnerability Attack Trends - Date: 2024-05-26 Threats on Products and CVEs Androxgh0st malware exploits CVE-2021-3129 & CVE-2024-1709 to deploy web shells on servers. Stay updated! More info: https://t.co/Tye2gKlBtv
1
0
0
ConnectWise ScreenConnect CVE-2024-1708 and CVE-2024-1709 https://t.co/UF69kg2XRL
0
0
0

Affected Software

Configuration 1
TypeVendorProduct
AppConnectwisescreenconnect

References

ReferenceLink
9119A7D8-5EAB-497F-8521-727C672E3725https://github.com/rapid7/metasploit-framework/pull/18870
9119A7D8-5EAB-497F-8521-727C672E3725https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
9119A7D8-5EAB-497F-8521-727C672E3725https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/
9119A7D8-5EAB-497F-8521-727C672E3725https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/
9119A7D8-5EAB-497F-8521-727C672E3725https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
9119A7D8-5EAB-497F-8521-727C672E3725https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/
9119A7D8-5EAB-497F-8521-727C672E3725https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
9119A7D8-5EAB-497F-8521-727C672E3725https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
9119A7D8-5EAB-497F-8521-727C672E3725https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8
9119A7D8-5EAB-497F-8521-727C672E3725https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/
GITHUBhttps://github.com/rapid7/metasploit-framework/pull/18870
GITHUBhttps://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
GITHUBhttps://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/
GITHUBhttps://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
GITHUBhttps://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
GITHUBhttps://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8
GITHUBhttps://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/
GITHUBhttps://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/
9119A7D8-5EAB-497F-8521-727C672E3725https://github.com/rapid7/metasploit-framework/pull/18870
9119A7D8-5EAB-497F-8521-727C672E3725https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
9119A7D8-5EAB-497F-8521-727C672E3725https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/
9119A7D8-5EAB-497F-8521-727C672E3725https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/
9119A7D8-5EAB-497F-8521-727C672E3725https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
9119A7D8-5EAB-497F-8521-727C672E3725https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/
9119A7D8-5EAB-497F-8521-727C672E3725https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
9119A7D8-5EAB-497F-8521-727C672E3725https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
9119A7D8-5EAB-497F-8521-727C672E3725https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8
9119A7D8-5EAB-497F-8521-727C672E3725https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/
AF854A3A-2127-422B-91AE-364DA2661108https://github.com/rapid7/metasploit-framework/pull/18870
AF854A3A-2127-422B-91AE-364DA2661108https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
AF854A3A-2127-422B-91AE-364DA2661108https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/
AF854A3A-2127-422B-91AE-364DA2661108https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/
AF854A3A-2127-422B-91AE-364DA2661108https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
AF854A3A-2127-422B-91AE-364DA2661108https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/
AF854A3A-2127-422B-91AE-364DA2661108https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
AF854A3A-2127-422B-91AE-364DA2661108https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
AF854A3A-2127-422B-91AE-364DA2661108https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8
AF854A3A-2127-422B-91AE-364DA2661108https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/
GITHUBhttps://github.com/rapid7/metasploit-framework/pull/18870
GITHUBhttps://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
GITHUBhttps://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/
GITHUBhttps://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/
GITHUBhttps://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/
GITHUBhttps://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
GITHUBhttps://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
GITHUBhttps://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8
GITHUBhttps://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/

CWE Details

CWE IDCWE NameDescription
CWE-288Authentication Bypass Using an Alternate Path or ChannelA product requires authentication, but the product has an alternate path or channel that does not require authentication.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence