Understanding CVE-2024-1709 and CVE-2024-1708 - The Authentication Bypass That Shook Remote Access Security
ConnectWise ScreenConnect: The Perfect 10 CVSS Vulnerability 💯
Understanding CVE-2024-1709 and CVE-2024-1708 - The Authentication Bypass That Shook Remote Access Security
In February 2024, the cybersecurity community witnessed one of the most critical vulnerability disclosures of the year when ConnectWise announced two severe security flaws affecting their ScreenConnect remote desktop software in versions 23.9.7 and earlier. These vulnerabilities, designated as CVE-2024-1709 and CVE-2024-1708, represented a perfect storm of security weaknesses that ransomware groups quickly weaponized to devastating effect.
What Made CVE-2024-1709 a Perfect 10?
CVE-2024-1709 received the maximum possible CVSS severity score of 10.0, marking it as one of the most critical vulnerabilities discovered in remote access software. This authentication bypass vulnerability exploited a fundamental flaw in how ScreenConnect processed URL paths, allowing attackers to circumvent security controls entirely.
The vulnerability’s severity stemmed from its simplicity and devastating impact. By simply requesting “/SetupWizard.aspx/literallyanything” with virtually any trailing path value, threat actors could gain access to the setup wizard on already-configured ScreenConnect instances. This meant that attackers could create administrator-level accounts on compromised systems without needing any credentials whatsoever.
The Technical Breakdown
The authentication bypass worked by exploiting how ScreenConnect validated access to its setup wizard. Under normal circumstances, the setup wizard should only be accessible during initial installation. However, researchers discovered that the setup wizard is responsible for setting up the initial administrative user, and the user creation happens immediately after clicking the “Next” button, so there is no need to complete the setup wizard fully to exploit the system.
What made this particularly devastating was that completing this step would completely overwrite the internal user database, with all other local users deleted aside from the user specified in the setup wizard. In essence, attackers could completely take over a ScreenConnect instance with just a simple HTTP request.
Security researchers dubbed this vulnerability chain “SlashAndGrab” due to its straightforward exploitation method. The exploits were described as “trivial” and “embarrassingly easy”, making them accessible even to relatively unsophisticated threat actors.
CVE-2024-1708: The Path Traversal Accomplice
While CVE-2024-1709 garnered headlines for its perfect CVSS score, CVE-2024-1708 is a path-traversal vulnerability with a CVSS score of 8.4, affecting ScreenConnect 23.9.7 and prior. This vulnerability, though lower-rated, proved equally critical when chained with the authentication bypass.
The path traversal flaw involved improper validation when extracting files from ZIP archives. Prior to the patch, a malicious extension could potentially write files anywhere within the ScreenConnect directory instead of being properly restricted to their extension subdirectory. This weakness enabled attackers to place malicious code in locations where it would be executed with SYSTEM-level privileges.
The Deadly Combination
When chained together, these vulnerabilities created a complete attack path. An attacker would first exploit CVE-2024-1709 to gain administrative access, then leverage CVE-2024-1708 to achieve remote code execution by uploading malicious ScreenConnect extensions. Once you have administrative access to a compromised instance, it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution.
The Ransomware Response: Real-World Exploitation
The disclosure of these vulnerabilities triggered an immediate and widespread exploitation campaign. CISA added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation, underscoring the severity of the threat.
Ransomware Groups in Action
Multiple sophisticated ransomware operations quickly incorporated these vulnerabilities into their attack arsenals. Black Basta and Bl00dy ransomware groups were reported to have exploited the vulnerability, demonstrating how quickly threat actors could pivot to new attack vectors.
Security researchers observed diverse malicious activities following successful exploitation. Huntress reported that threat actors had been observed attempting to deploy ransomware payloads, cryptocurrency miners, and additional remote access tools such as Cobalt Strike Beacon after gaining access to compromised devices.
One particularly notable aspect of the attacks involved the deployment of ransomware variants. The LockBit deployments observed were invoked with an encryptor that appeared to be compiled around September 13, 2022, matching the timeline of the publicly leaked LockBit 3.0 builder. This suggested that threat actors were leveraging leaked ransomware builders to rapidly deploy attacks through the ScreenConnect vulnerabilities.
Sophos reported observing ransomware payloads built using a leaked LockBit ransomware builder, further confirming that both sophisticated ransomware groups and opportunistic attackers were exploiting these flaws.
Advanced Persistent Threats Join the Fray
Beyond traditional ransomware groups, nation-state actors also recognized the value of these vulnerabilities. North Korean group Kimsuky used the vulnerability to distribute ToddleShark malware, an evolution of its earlier BabyShark and ReconShark backdoors, targeting government entities and think tanks worldwide.
Global Impact and Exposure
The scope of potential victims was staggering. As of February 21, 2024, Unit 42 observed 18,188 unique IP addresses hosting ScreenConnect globally. This massive exposure created an enormous attack surface for threat actors to exploit.
Geographic distribution revealed concentrated risk in specific regions. Earlier scans showed that nearly three-quarters of these hosts were in the U.S., with the top ten countries accounting for over 95% of global exposure. This concentration meant that American organizations faced particularly acute risk from these vulnerabilities.
The timeline of exploitation was remarkably swift. On February 21, 2024, proof of concept code was released on GitHub that exploits these vulnerabilities and adds a new user to the compromised system. Within days of the vulnerability disclosure, attackers had publicly available tools to automate exploitation.
Detection and Forensic Indicators
For organizations attempting to determine if they had been compromised, security researchers identified several key indicators. It is recommended to monitor Microsoft IIS logs for any requests to the “/SetupWizard.aspx” path that have a trailing path segment as an indicator of compromise.
Additional forensic artifacts could reveal successful exploitation. Organizations should check for temporary user creation XML files on disk within a specific time range, as this file can be an indicator for possible exploitation of CVE-2024-1709. Furthermore, detecting potential exploitation of CVE-2024-1708 involves looking for .ASPX and .ASHX files written in the ScreenConnect App_Extensions folder.
Post-Exploitation Tactics and Tradecraft
Security operations teams observed sophisticated post-exploitation activities following successful compromise. Adversaries prioritized creating their own users using naming conventions that would attempt to fly under the radar, as well as adding these to highly privileged groups.
Attackers demonstrated creativity in persistence mechanisms. Adversaries leveraged certutil to download ransomware MSI payloads, which they also made persistent via startup folders, ensuring their malware would survive system reboots.
The deployment of remote access tools represented another common tactic. Compromised ScreenConnect instances became launchpads for additional malware, including Cobalt Strike beacons and other remote administration tools that provided attackers with persistent, covert access to victim networks.
Remediation and Response
ConnectWise’s response to the crisis was swift and comprehensive. ConnectWise released a patch for both vulnerabilities in version 23.9.8, and took the extraordinary step of removing licensing restrictions to enable affected customers to upgrade regardless of their maintenance status.
For cloud-hosted implementations, remediation was automatic. Cloud-hosted implementations of ScreenConnect, including screenconnect.com and hostedrmm.com, received mitigations within hours of validation to address these vulnerabilities. However, organizations running on-premises installations needed to take immediate action.
Emergency Patching Strategy
Organizations no longer under maintenance received special consideration. ConnectWise provided a patched version of 22.4.20001 available to any partner regardless of maintenance status as an interim step to mitigate the vulnerability. This ensured that even customers without active support contracts could protect themselves.
Some organizations encountered licensing challenges during emergency patching. To address this, if a license error arose during the upgrade, organizations were advised to stop the four ScreenConnect services and move the License.xml file from the installation folder to another location before proceeding with the upgrade.
Incident Response Guidance
For organizations suspecting compromise, security experts recommended aggressive containment measures. If you suspect your ScreenConnect software may be compromised, prioritize securing your systems by following your existing incident response playbook to isolate the affected servers and create backups to analyze later.
The guidance emphasized that compromised ScreenConnect instances might not represent the full extent of a breach. A compromised ScreenConnect server might not be the only point of entry, so incident response should encompass your entire system to identify and address any broader security vulnerabilities.
Google’s Mandiant team provided additional hardening recommendations. Organizations were encouraged to review comprehensive remediation guides that went beyond simple patching to include configuration hardening, network segmentation, and enhanced monitoring capabilities.
Long-Term Impact and Lessons Learned
The ScreenConnect vulnerability disclosure had lasting implications for the cybersecurity landscape. This exploitation marked the first instance of vulnerabilities in ScreenConnect being reported as exploited in the wild, fundamentally changing how organizations viewed the security of their remote access infrastructure.
The incident highlighted the critical importance of prompt patching for remote access solutions. Remote monitoring and management tools like ScreenConnect have become essential infrastructure for modern IT operations, making them high-value targets for attackers. When vulnerabilities in these systems achieve perfect CVSS scores, the race between defenders and attackers becomes a matter of hours, not days.
Vendor Response and Industry Standards
ConnectWise’s handling of the crisis established important precedents for vulnerability disclosure and remediation. By removing licensing barriers and providing free upgrades even to customers without maintenance contracts, the company prioritized security over revenue considerations. This approach, while costly in the short term, helped limit the overall damage from these vulnerabilities.
The incident also demonstrated the value of rapid, transparent communication. ConnectWise published detailed security bulletins promptly, worked with security researchers to understand exploitation techniques, and provided clear remediation guidance. This collaboration between vendor, researchers, and the broader security community proved essential in mounting an effective response.
Protecting Against Similar Threats
Organizations should implement several defensive measures to protect against vulnerabilities similar to CVE-2024-1709 and CVE-2024-1708:
Network Segmentation: Remote access tools should not be directly exposed to the public internet when possible. Placing these systems behind firewalls and VPNs reduces the attack surface available to unauthenticated attackers.
Rapid Patch Management: Critical vulnerabilities in remote access software demand immediate attention. Organizations need processes that enable emergency patching within hours of disclosure for maximum-severity vulnerabilities.
Enhanced Monitoring: Implement robust logging and monitoring for remote access solutions. Unusual authentication attempts, setup wizard access on configured systems, and suspicious file creation should trigger alerts.
Defense in Depth: No single security control should be relied upon exclusively. Multiple layers of defense ensure that if one control fails, others can still prevent or detect compromise.
Regular Security Assessments: Periodic vulnerability scans and penetration testing can identify exposed remote access solutions and configuration weaknesses before attackers do.
The Broader Context of Remote Access Security
The ScreenConnect vulnerabilities represent part of a larger trend of attackers targeting remote access and management tools. These systems provide exactly what attackers seek: legitimate, trusted channels for accessing and controlling systems throughout an organization’s network.
The COVID-19 pandemic accelerated remote work adoption, making remote access tools more prevalent and valuable targets. As organizations distributed their workforce, they also distributed their attack surface. Each remote access endpoint represents a potential entry point for attackers, making the security of these tools paramount.
Modern threat actors increasingly focus on supply chain attacks and trusted software exploitation. Rather than breaking through front doors, they seek to use legitimate tools and access methods. Remote access software provides an ideal vehicle for these tactics, offering authenticated, encrypted channels that security tools often trust by default.
Conclusion: A Wake-Up Call for Remote Access Security
The ConnectWise ScreenConnect CVE-2024-1709 and CVE-2024-1708 vulnerabilities served as a stark reminder of the critical security challenges facing remote access infrastructure. With a perfect CVSS score of 10.0, trivial exploitation, and active use by multiple ransomware groups, these flaws represented a worst-case scenario for defenders.
The rapid development and deployment of exploits, combined with the enormous number of exposed systems worldwide, created a crisis that demanded immediate action from organizations using ScreenConnect. The swift response by ConnectWise, security researchers, and the broader community demonstrated the importance of coordinated vulnerability disclosure and remediation.
Looking forward, the lessons from this incident remain relevant. Remote access tools will continue to be high-value targets for attackers. Organizations must prioritize the security of these systems through prompt patching, network segmentation, enhanced monitoring, and defense-in-depth strategies. The stakes are simply too high to treat remote access security as an afterthought.
As ransomware groups and nation-state actors continue evolving their tactics, the security community must remain vigilant. Today’s remote access vulnerability could become tomorrow’s massive data breach or ransomware outbreak. The ConnectWise ScreenConnect vulnerabilities demonstrated that even mature, widely deployed software can harbor critical security flaws that attackers will quickly weaponize.
The perfect 10 CVSS score assigned to CVE-2024-1709 wasn’t hyperbole—it accurately reflected the severity of a vulnerability that allowed complete system compromise with minimal effort. For security professionals, this incident underscores a fundamental truth: in the modern threat landscape, perfect scores demand perfect responses. There is no room for delay when facing vulnerabilities of this magnitude.