ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)
Qu'est-ce que ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) ?
ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours.
CVE-2024-1709 is a critical authentication-bypass flaw in ConnectWise ScreenConnect (now branded ConnectWise Control), a remote-monitoring-and-management product widely used by MSPs. Disclosed on 19 February 2024 alongside the related path-traversal CVE-2024-1708, it allowed an unauthenticated attacker to reach the SetupWizard endpoint on a fully configured server and create a new administrator account, achieving complete takeover. Because ScreenConnect servers are typically internet-exposed and hold persistent agent connections to thousands of endpoints across many customer organizations, a single compromised ScreenConnect server functioned as an instant multi-tenant initial-access broker. Mass exploitation began within hours of public disclosure: LockBit, Play, BlackBasta, BlackCat affiliates, several nation-state actors (Mandiant tracked at least UNC4537/Slip19), and commodity ransomware groups all weaponized the bug, hitting MSPs and downstream SMBs. ConnectWise released patches (23.9.8 / on-prem 22.4 LTS and later) and CISA added CVE-2024-1709 to the KEV catalog. The incident is one of the canonical 2024 examples of supply-chain risk via MSP tooling, comparable in shape to the 2021 Kaseya VSA case.
● Exemples
- 01
An MSP running ScreenConnect 23.9.7 internet-exposed on its perimeter is compromised within hours of CVE-2024-1709 disclosure; LockBit deploys ransomware to dozens of downstream customers via the existing RMM agents.
- 02
An SMB without its own SOC discovers it has been ransomware-encrypted because its MSP's ScreenConnect was unpatched the night after CVE-2024-1709 disclosure.
● Questions fréquentes
Qu'est-ce que ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) ?
A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours. Cette notion relève de la catégorie Vulnérabilités en cybersécurité.
Que signifie ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) ?
A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours.
Comment fonctionne ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) ?
CVE-2024-1709 is a critical authentication-bypass flaw in ConnectWise ScreenConnect (now branded ConnectWise Control), a remote-monitoring-and-management product widely used by MSPs. Disclosed on 19 February 2024 alongside the related path-traversal CVE-2024-1708, it allowed an unauthenticated attacker to reach the SetupWizard endpoint on a fully configured server and create a new administrator account, achieving complete takeover. Because ScreenConnect servers are typically internet-exposed and hold persistent agent connections to thousands of endpoints across many customer organizations, a single compromised ScreenConnect server functioned as an instant multi-tenant initial-access broker. Mass exploitation began within hours of public disclosure: LockBit, Play, BlackBasta, BlackCat affiliates, several nation-state actors (Mandiant tracked at least UNC4537/Slip19), and commodity ransomware groups all weaponized the bug, hitting MSPs and downstream SMBs. ConnectWise released patches (23.9.8 / on-prem 22.4 LTS and later) and CISA added CVE-2024-1709 to the KEV catalog. The incident is one of the canonical 2024 examples of supply-chain risk via MSP tooling, comparable in shape to the 2021 Kaseya VSA case.
Comment se défendre contre ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) ?
Les défenses contre ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) ?
Noms alternatifs courants : CVE-2024-1709, CVE-2024-1708, ScreenConnect SetupWizard bypass.
● Termes liés
- attacks№ 1234
Attaque de la chaîne d'approvisionnement
Attaque qui compromet un fournisseur de logiciel, de matériel ou de services de confiance afin d'atteindre ses clients en aval.
- malware№ 1004
Rançongiciel
Logiciel malveillant qui chiffre les données de la victime ou verrouille ses systèmes et exige une rançon pour rétablir l'accès.
- vulnerabilities№ 648
Attaque sur la chaine logicielle Kaseya VSA
Attaque ransomware sur la chaine logicielle en juillet 2021 ou REvil a exploite des zero-days de Kaseya VSA pour deployer un ransomware chez environ 1 500 organisations clientes.
- vulnerabilities№ 194
CISA Known Exploited Vulnerabilities (KEV) Catalog
A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal.
- defense-ops№ 695
LockBit
Operation russophone de ransomware-as-a-service devenue la marque de rancongiciel la plus active entre 2022 et 2024, avant d'etre fortement perturbee par l'operation Cronos.
- vulnerabilities№ 142
Authentification défaillante
Catégorie de vulnérabilités où des failles d'authentification ou de gestion de session permettent à un attaquant d'usurper des comptes légitimes.