Background
ConnectWise ScreenConnect is a remote monitoring and management (RMM) platform used extensively by managed service providers (MSPs) and enterprise IT teams. The product provides remote desktop access, file transfer, and automation capabilities across large fleets of endpoints. Because MSPs use ScreenConnect to manage client systems — often with full administrative access — compromising a ScreenConnect server gives attackers a privileged beachhead into every organisation that MSP services.
CVE-2024-1709 is the authentication bypass component of the February 2024 ScreenConnect critical vulnerability pair. Rated CVSS 10.0, it enables unauthenticated access to an administrative setup function that should only be accessible during initial product configuration. When chained with CVE-2024-1708 (path traversal, CVSS 9.8), the combined exploit delivers fully unauthenticated remote code execution — a chain that saw mass exploitation within 24 hours of disclosure.
Technical Mechanism
ScreenConnect includes a setup wizard (SetupWizard.aspx) intended to be used only during initial installation to create the first administrator account. This endpoint should only be accessible on an unconfigured system — once the product is configured, it should be disabled or gated.
The vulnerability is that ScreenConnect’s check for “is the product already configured” can be bypassed. The authentication bypass exploits a logic flaw in how ScreenConnect determines whether setup has been completed. By manipulating specific request parameters or headers, an attacker can make the application believe it is running in an unconfigured state, allowing the setup wizard to accept new administrator account creation even on a fully configured, production system.
The attack flow:
# Step 1: Access setup wizard on configured system (should return error, but doesn't)
GET /SetupWizard.aspx HTTP/1.1
Host: screenconnect.target.com
# Step 2: POST to create new administrator account
POST /SetupWizard.aspx/ConnectWiseControl.Web.UI.SetupWizardData/InitializeNewInstallation HTTP/1.1
Content-Type: application/json
{"email":"attacker@evil.com","organizationName":"Evil","firstName":"Attacker",
"lastName":"Admin","password":"P@ssword1","createSupportAccount":false}Upon successful exploitation, the attacker has a fully credentialed administrator account on the ScreenConnect instance. This provides:
- Access to the ScreenConnect administration portal
- Ability to create new sessions to any connected endpoint
- Access to the extension upload functionality (vulnerable to CVE-2024-1708 path traversal)
- Visibility into all connected client systems and their connection details
The subsequent path traversal (CVE-2024-1708) allows the authenticated attacker to write files outside the intended extension directory, placing a web shell in the application directory for persistent RCE.
Real-World Exploitation Evidence
Exploitation of this vulnerability chain began within hours of the February 21, 2024 advisory, making it one of the fastest-exploited critical vulnerabilities in recent history. The immediacy of exploitation was partially due to the simplicity of the attack — the bypass is straightforward and requires no special tooling.
Documented exploitation:
- LockBit ransomware: Multiple LockBit affiliates exploited the vulnerability in targeted attacks against MSPs, then used ScreenConnect’s legitimate remote access capabilities to deploy ransomware to client endpoints.
- Black Basta: Confirmed use of the vulnerability for initial access in at least a dozen documented intrusions.
- Opportunistic mass scanning: Security researchers observed mass scanning for vulnerable ScreenConnect instances within 2 hours of advisory publication.
- Shodan enumeration: The vulnerability enabled trivial identification of unpatched instances; attackers leveraged Shodan and Censys to enumerate targets.
The MSP targeting aspect amplified the blast radius significantly. A single exploit against an MSP could compromise hundreds of downstream client organisations without additional exploitation steps.
Impact Assessment
The impact of this vulnerability extends beyond the directly affected ScreenConnect server:
- Immediate admin access: Creating a rogue admin account provides full control over the ScreenConnect portal.
- All-endpoints access: The attacker gains the ability to initiate remote sessions to every endpoint connected to the compromised ScreenConnect instance.
- Ransomware delivery platform: ScreenConnect’s mass command execution features become a weapon for simultaneous ransomware deployment across all connected clients.
- Stealth: Legitimate ScreenConnect traffic is often allowed through network monitoring tools as expected MSP activity, making attacker activity harder to detect.
- Persistence without malware: Attackers can maintain access through legitimate ScreenConnect sessions rather than deploying malware, evading many endpoint detection solutions.
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| ScreenConnect (on-premises) | All versions < 23.9.8 | 23.9.8 |
| ScreenConnect Cloud | Auto-patched by ConnectWise | N/A |
ConnectWise cloud-hosted instances were patched before the advisory was published. Only self-hosted (on-premises) instances require manual patching.
Remediation Steps
-
Upgrade to ScreenConnect 23.9.8 immediately: This is the only complete remediation. The update is available via the ConnectWise partner portal.
-
Verify the patch: After upgrading, confirm that navigating to
https://<server>/SetupWizard.aspxreturns a 404 or redirects away. If the setup wizard is still accessible, the patch was not applied correctly. -
Audit administrator accounts: Immediately review all accounts with administrative privileges:
- Log in to ScreenConnect admin portal
- Navigate to Administration > Security > Users
- Remove any accounts not recognised by your team, particularly those created recently
-
Check for web shells: Search the ScreenConnect installation directory for unexpected files:
# Windows dir /s /b "C:\Program Files (x86)\ScreenConnect\App_Extensions\*.aspx" dir /s /b "C:\Program Files (x86)\ScreenConnect\*.aspx" | findstr /v /i "official" # Linux find /opt/screenconnect/ -name "*.aspx" -newer /opt/screenconnect/App_Web_*.dll -
Review session logs: Check for any remote sessions initiated around the time of exploitation and trace what actions were performed.
-
Restrict network access: Ensure the ScreenConnect administration portal is not directly internet-accessible. Place behind IP allowlisting or VPN.
Detection Guidance
Log sources:
- ScreenConnect application logs (typically
C:\ProgramData\ScreenConnect\App_Data\Session.dbon Windows) - Windows Event Logs for file creation events in the ScreenConnect directory
- IIS logs for requests to
SetupWizard.aspx
Suspicious activity patterns:
- Requests to
/SetupWizard.aspxon a system past initial setup - New administrator account creation outside business hours
- File creation events in
App_Extensions/directory - Outbound connections from the ScreenConnect service account to unknown IPs
Suricata signature:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ConnectWise ScreenConnect CVE-2024-1709 Setup Wizard Access"; flow:established,to_server; http.uri; content:"/SetupWizard.aspx"; http.method; content:"POST"; sid:9000017; rev:1;)Timeline
| Date | Event |
|---|---|
| February 13, 2024 | ConnectWise patches cloud-hosted instances silently |
| February 19, 2024 | ConnectWise notifies partners of upcoming advisory |
| February 21, 2024 | Public advisory released; on-premises patch (23.9.8) made available |
| February 21, 2024 | CISA adds CVE-2024-1709 to KEV catalogue |
| February 22, 2024 | Mass exploitation observed in the wild; PoC published |
| February–March 2024 | LockBit and Black Basta ransomware campaigns documented |
| March 2024 | CISA, FBI issue advisory on exploitation in healthcare sector |