Overview
ConnectWise ScreenConnect versions 23.9.7 and prior contain a critical authentication bypass vulnerability that allows unauthenticated attackers to gain unauthorized access to the remote access platform. The vulnerability exists due to an alternate path or channel that bypasses normal authentication mechanisms, potentially granting attackers access to confidential information and critical systems managed through ScreenConnect. The vulnerability was disclosed on February 21, 2024. CISA has identified CVE-2024-1709 as being exploited and is known to be used in ransomware campaigns.
Technical details
ConnectWise ScreenConnect contains an authentication bypass vulnerability in how it handles access to certain endpoints or functionalities. The vulnerability allows attackers to circumvent the authentication mechanism by exploiting an alternate path or channel to access restricted resources. This could involve direct access to API endpoints, web interfaces, or internal functions that should require proper authentication credentials but instead are left unprotected or protected by weak validation mechanisms.
The vulnerability is classified as CWE-287 (Improper Authentication) andCWE-306 (Missing Authentication for Critical Function) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows unauthenticated attackers to gain complete unauthorized access to ConnectWise ScreenConnect. This could result in: (1) Access to confidential information including customer data, session details, and system configurations; (2) Ability to control remote computers and systems managed through ScreenConnect; (3) Potential to pivot to other systems within connected networks; (4) Installation of malware or remote access trojans; (5) Lateral movement within enterprise environments. Given that ScreenConnect is used for remote access and IT management, successful exploitation has severe implications for affected organizations.
Mitigation and workarounds
ConnectWise has released patched versions to address this vulnerability. Organizations should immediately upgrade to ScreenConnect version 23.9.8 or later, or to version 23.12 and subsequent releases. Visit the ConnectWise ScreenConnect download page to obtain the latest patched version for your deployment model (cloud-hosted or on-premises). Refer to ConnectWise Security Release Notes for detailed upgrade instructions specific to your environment. The following versions include the necessary fixes: 23.9.8, 23.12.x and later.
As temporary workarounds: implement network-level access controls to restrict access to screenconnect to trusted ip addresses only. use firewalls, vpns, or network segmentation to limit who can reach the screenconnect interface.; disable unnecessary api endpoints or features that are not in use. review screenconnect configuration to minimize the attack surface., and monitor all authentication-related logs and connection attempts for suspicious activity. look for unauthorized access patterns or requests from unexpected sources..
CISA's recommendation: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
