ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)
Was ist ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours.
CVE-2024-1709 is a critical authentication-bypass flaw in ConnectWise ScreenConnect (now branded ConnectWise Control), a remote-monitoring-and-management product widely used by MSPs. Disclosed on 19 February 2024 alongside the related path-traversal CVE-2024-1708, it allowed an unauthenticated attacker to reach the SetupWizard endpoint on a fully configured server and create a new administrator account, achieving complete takeover. Because ScreenConnect servers are typically internet-exposed and hold persistent agent connections to thousands of endpoints across many customer organizations, a single compromised ScreenConnect server functioned as an instant multi-tenant initial-access broker. Mass exploitation began within hours of public disclosure: LockBit, Play, BlackBasta, BlackCat affiliates, several nation-state actors (Mandiant tracked at least UNC4537/Slip19), and commodity ransomware groups all weaponized the bug, hitting MSPs and downstream SMBs. ConnectWise released patches (23.9.8 / on-prem 22.4 LTS and later) and CISA added CVE-2024-1709 to the KEV catalog. The incident is one of the canonical 2024 examples of supply-chain risk via MSP tooling, comparable in shape to the 2021 Kaseya VSA case.
● Beispiele
- 01
An MSP running ScreenConnect 23.9.7 internet-exposed on its perimeter is compromised within hours of CVE-2024-1709 disclosure; LockBit deploys ransomware to dozens of downstream customers via the existing RMM agents.
- 02
An SMB without its own SOC discovers it has been ransomware-encrypted because its MSP's ScreenConnect was unpatched the night after CVE-2024-1709 disclosure.
● Häufige Fragen
Was ist ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours. Es gehört zur Kategorie Schwachstellen der Cybersicherheit.
Was bedeutet ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours.
Wie funktioniert ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
CVE-2024-1709 is a critical authentication-bypass flaw in ConnectWise ScreenConnect (now branded ConnectWise Control), a remote-monitoring-and-management product widely used by MSPs. Disclosed on 19 February 2024 alongside the related path-traversal CVE-2024-1708, it allowed an unauthenticated attacker to reach the SetupWizard endpoint on a fully configured server and create a new administrator account, achieving complete takeover. Because ScreenConnect servers are typically internet-exposed and hold persistent agent connections to thousands of endpoints across many customer organizations, a single compromised ScreenConnect server functioned as an instant multi-tenant initial-access broker. Mass exploitation began within hours of public disclosure: LockBit, Play, BlackBasta, BlackCat affiliates, several nation-state actors (Mandiant tracked at least UNC4537/Slip19), and commodity ransomware groups all weaponized the bug, hitting MSPs and downstream SMBs. ConnectWise released patches (23.9.8 / on-prem 22.4 LTS and later) and CISA added CVE-2024-1709 to the KEV catalog. The incident is one of the canonical 2024 examples of supply-chain risk via MSP tooling, comparable in shape to the 2021 Kaseya VSA case.
Wie schützt man sich gegen ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
Schutzmaßnahmen gegen ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
Übliche alternative Bezeichnungen: CVE-2024-1709, CVE-2024-1708, ScreenConnect SetupWizard bypass.
● Verwandte Begriffe
- attacks№ 1234
Supply-Chain-Angriff
Angriff, der einen vertrauenswürdigen Software-, Hardware- oder Dienstleister kompromittiert, um dessen nachgelagerte Kunden zu erreichen.
- malware№ 1004
Ransomware
Schadsoftware, die Daten des Opfers verschlüsselt oder Systeme sperrt und für die Wiederherstellung des Zugriffs ein Lösegeld fordert.
- vulnerabilities№ 648
Kaseya-VSA-Lieferketten-Angriff
Ransomware-Lieferketten-Angriff im Juli 2021, bei dem REvil Zero-Days in Kaseya VSA ausnutzte und Ransomware bei rund 1.500 nachgelagerten Organisationen ausspielte.
- vulnerabilities№ 194
CISA Known Exploited Vulnerabilities (KEV) Catalog
A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal.
- defense-ops№ 695
LockBit
Russischsprachige Ransomware-as-a-Service-Operation, die zwischen 2022 und 2024 zum aktivsten Ransomware-Brand weltweit wurde, bevor Operation Cronos sie schwer traf.
- vulnerabilities№ 142
Defekte Authentifizierung
Schwachstellenkategorie, in der Fehler bei Authentifizierung oder Sitzungsverwaltung es Angreifern erlauben, legitime Nutzer zu impersonieren oder Konten zu übernehmen.