ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)
What is ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours.
CVE-2024-1709 is a critical authentication-bypass flaw in ConnectWise ScreenConnect (now branded ConnectWise Control), a remote-monitoring-and-management product widely used by MSPs. Disclosed on 19 February 2024 alongside the related path-traversal CVE-2024-1708, it allowed an unauthenticated attacker to reach the SetupWizard endpoint on a fully configured server and create a new administrator account, achieving complete takeover. Because ScreenConnect servers are typically internet-exposed and hold persistent agent connections to thousands of endpoints across many customer organizations, a single compromised ScreenConnect server functioned as an instant multi-tenant initial-access broker. Mass exploitation began within hours of public disclosure: LockBit, Play, BlackBasta, BlackCat affiliates, several nation-state actors (Mandiant tracked at least UNC4537/Slip19), and commodity ransomware groups all weaponized the bug, hitting MSPs and downstream SMBs. ConnectWise released patches (23.9.8 / on-prem 22.4 LTS and later) and CISA added CVE-2024-1709 to the KEV catalog. The incident is one of the canonical 2024 examples of supply-chain risk via MSP tooling, comparable in shape to the 2021 Kaseya VSA case.
● Examples
- 01
An MSP running ScreenConnect 23.9.7 internet-exposed on its perimeter is compromised within hours of CVE-2024-1709 disclosure; LockBit deploys ransomware to dozens of downstream customers via the existing RMM agents.
- 02
An SMB without its own SOC discovers it has been ransomware-encrypted because its MSP's ScreenConnect was unpatched the night after CVE-2024-1709 disclosure.
● Frequently asked questions
What is ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours. It belongs to the Vulnerabilities category of cybersecurity.
What does ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) mean?
A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours.
How does ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) work?
CVE-2024-1709 is a critical authentication-bypass flaw in ConnectWise ScreenConnect (now branded ConnectWise Control), a remote-monitoring-and-management product widely used by MSPs. Disclosed on 19 February 2024 alongside the related path-traversal CVE-2024-1708, it allowed an unauthenticated attacker to reach the SetupWizard endpoint on a fully configured server and create a new administrator account, achieving complete takeover. Because ScreenConnect servers are typically internet-exposed and hold persistent agent connections to thousands of endpoints across many customer organizations, a single compromised ScreenConnect server functioned as an instant multi-tenant initial-access broker. Mass exploitation began within hours of public disclosure: LockBit, Play, BlackBasta, BlackCat affiliates, several nation-state actors (Mandiant tracked at least UNC4537/Slip19), and commodity ransomware groups all weaponized the bug, hitting MSPs and downstream SMBs. ConnectWise released patches (23.9.8 / on-prem 22.4 LTS and later) and CISA added CVE-2024-1709 to the KEV catalog. The incident is one of the canonical 2024 examples of supply-chain risk via MSP tooling, comparable in shape to the 2021 Kaseya VSA case.
How do you defend against ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
Defences for ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
Common alternative names include: CVE-2024-1709, CVE-2024-1708, ScreenConnect SetupWizard bypass.
● Related terms
- attacks№ 1234
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- malware№ 1004
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- vulnerabilities№ 648
Kaseya VSA Supply-Chain Attack
A July 2021 supply-chain ransomware attack in which REvil exploited zero-days in Kaseya VSA to push ransomware to roughly 1,500 downstream organizations.
- vulnerabilities№ 194
CISA Known Exploited Vulnerabilities (KEV) Catalog
A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal.
- defense-ops№ 695
LockBit
A Russian-speaking ransomware-as-a-service operation that became the most prolific ransomware brand globally between 2022 and 2024 before being heavily disrupted by Operation Cronos.
- vulnerabilities№ 142
Broken Authentication
A category of vulnerabilities where flaws in authentication or session management let attackers impersonate legitimate users or take over accounts.