May 7, 2024 By Douglas Bonderud 4 min read

On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.

While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for both CVEs.

Despite these updates, however, malicious actors aren’t giving up just yet, with reports of new attack vectors still coming in more than a month after the initial issue was detected. Here’s what enterprises need to know about these remote access risks.

Opportunity knocks: Attackers go all-in on ScreenConnect

The first round of attacks reported for ScreenConnect was tied to malware delivery. One week after the vulnerability was reported, however, persistent phishing campaigns were discovered that targeted both the healthcare industry and cryptocurrency users.

By February 27, ransomware groups such as Black Basta and Bl00dy began exploiting these vulnerabilities. The following week saw patches from ScreenConnect to address these evolving issues, and for several weeks the volume of attacks declined.

On March 27, however, new ScreenConnect threats emerged. Both Chinese threat group UNC5274 and Initial Access Brokers began using F5 BIG-IP (CVE-2023-46747) and the ScreenConnect vulnerabilities to actively exploit organizations.

Put simply, the ubiquity and usability of ScreenConnect made it an ideal compromise point for both money-driven and nation-state threat actors. Even with patches in place, the number of insecure systems remains high enough that attack vectors continue to evolve.

Understanding the ScreenConnect compromises

So, what exactly are the ScreenConnect vulnerabilities? Let’s take a look at each.


This vulnerability was assigned a CVSS 3.1 score of 8.4 out of 10. It affects ScreenConnect version 23.9.7 and all prior versions. It is a path traversal vulnerability that allows attackers to remotely execute code.

Specifically, it allows attackers to write files within the App_Exntensions root directory rather than confining them to their correct extension subdirectory. While this exploit was problematic, its impact was limited since it required administrative credentials. In combination with CVE-2024-1709, however, this vulnerability became much more worrisome.


This vulnerability was assigned a CVSS 3.1 score of 10 out of 10, marking it “critical.” It is an authentication bypass exploit that relies on the text-based nature of the SetupWizard.aspx file.

Due to an odd .Net functionality, it is possible to input invalid URL components after a legitimate URL path and still have this data passed along to the application. In practice, this means that attackers can request /SetupWizard.aspx/anything and they can gain access to the ScreenConnect setup wizard on any ScreenConnect instance, even those that are already configured.

Once attackers access the Setup Wizard welcome screen, all they need to do is click “Next.” Even if they do not complete the setup process, clicking Next will create a new user and delete all other local users. With full admin access, attackers can easily create and upload malicious extensions to gain Remote Code Execution (RCE) access.

Problems, patches and persistence

ScreenConnect helps companies manage, monitor and troubleshoot remote devices. For example, if an employee working from home experiences issues with their company-issued smartphone, ScreenConnect lets IT staff log in remotely to diagnose and fix the issue.

Used maliciously, however, this same process can provide attackers with access to virtually all connected devices on a corporate network, both local and remote. As noted above, while CVE-2024-1708 was problematic because it let attackers remotely execute malicious code, the vulnerability began gaining traction when hackers realized they could combine CVE-2024-1709 with 1708 to wipe user databases, create their own profiles and take full administrative access.

As a result, both vulnerabilities quickly became popular paths for attackers to gain remote access. Given the massive number of devices that now make up connected corporate networks, full access combined with the ability to overwrite existing user databases made exploiting these vulnerabilities a worthwhile endeavor for attackers.

Once both vulnerabilities were patched, attack volumes dropped, as evidenced by the lack of new threat vectors reported between the end of February and the end of March. Now, attacks are on the rise again as malicious actors target companies that haven’t applied the ScreenConnect patches. In addition, attackers are leveraging new CVEs to compromise remote connections and gain network access.

For example, Chinese groups UNC5714 and UNC5724 have been spotted using a combination of CVEs, including CVE-2023-46747, which targets the F5 BIG-IP service, and CVE-2024-1709 to attack both government and defense agencies. In other words, while the initial threat of ScreenConnect attacks has largely passed, the long-term impact remains a concern as new vulnerabilities are combined with existing exploits to create more sophisticated attacks.

Staying safe from remote access risks

For customers using the cloud-based version of ScreenConnect, patches were automatically applied. For enterprises using on-prem deployments, however, patching must be handled manually. This is critical because CVE-2024-1709 is easy to exploit, allowing attackers access before companies have time to react.

It’s also worth noting that while these vulnerabilities represent one type of significant security risk, they’re not the only emerging issue. Consider the rise of dual-track exploits, which use multiple attack vectors simultaneously to overwhelm network defenses, such as the combination of F5 BIG-IP and ScreenConnect CVEs. Keyword logging tools like BunnyLoader, meanwhile, are seeing improvements that boost performance by 90%, making it easier for attackers to find what they’re looking for once they compromise defenses. As a result, companies can benefit from patch management solutions that automatically identify and apply new patches to existing tools.

Given the changeable nature of security threats, however, post-problem patching isn’t enough in isolation. Instead, companies must deploy tools capable of identifying vulnerabilities before attackers can exploit them. It’s also worth pairing detection tools with vulnerability management solutions that continually discover, analyze and remediate potential vulnerabilities.

This triple-layer approach offers the best chance against remote access risks. Scanning tools identify risks, vulnerability management tools close the gaps and patch management processes ensure that defenses are automatically kept up-to-date.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today