ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)
O que é ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours.
CVE-2024-1709 is a critical authentication-bypass flaw in ConnectWise ScreenConnect (now branded ConnectWise Control), a remote-monitoring-and-management product widely used by MSPs. Disclosed on 19 February 2024 alongside the related path-traversal CVE-2024-1708, it allowed an unauthenticated attacker to reach the SetupWizard endpoint on a fully configured server and create a new administrator account, achieving complete takeover. Because ScreenConnect servers are typically internet-exposed and hold persistent agent connections to thousands of endpoints across many customer organizations, a single compromised ScreenConnect server functioned as an instant multi-tenant initial-access broker. Mass exploitation began within hours of public disclosure: LockBit, Play, BlackBasta, BlackCat affiliates, several nation-state actors (Mandiant tracked at least UNC4537/Slip19), and commodity ransomware groups all weaponized the bug, hitting MSPs and downstream SMBs. ConnectWise released patches (23.9.8 / on-prem 22.4 LTS and later) and CISA added CVE-2024-1709 to the KEV catalog. The incident is one of the canonical 2024 examples of supply-chain risk via MSP tooling, comparable in shape to the 2021 Kaseya VSA case.
● Exemplos
- 01
An MSP running ScreenConnect 23.9.7 internet-exposed on its perimeter is compromised within hours of CVE-2024-1709 disclosure; LockBit deploys ransomware to dozens of downstream customers via the existing RMM agents.
- 02
An SMB without its own SOC discovers it has been ransomware-encrypted because its MSP's ScreenConnect was unpatched the night after CVE-2024-1709 disclosure.
● Perguntas frequentes
O que é ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours. Pertence à categoria Vulnerabilidades da cibersegurança.
O que significa ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours.
Como funciona ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
CVE-2024-1709 is a critical authentication-bypass flaw in ConnectWise ScreenConnect (now branded ConnectWise Control), a remote-monitoring-and-management product widely used by MSPs. Disclosed on 19 February 2024 alongside the related path-traversal CVE-2024-1708, it allowed an unauthenticated attacker to reach the SetupWizard endpoint on a fully configured server and create a new administrator account, achieving complete takeover. Because ScreenConnect servers are typically internet-exposed and hold persistent agent connections to thousands of endpoints across many customer organizations, a single compromised ScreenConnect server functioned as an instant multi-tenant initial-access broker. Mass exploitation began within hours of public disclosure: LockBit, Play, BlackBasta, BlackCat affiliates, several nation-state actors (Mandiant tracked at least UNC4537/Slip19), and commodity ransomware groups all weaponized the bug, hitting MSPs and downstream SMBs. ConnectWise released patches (23.9.8 / on-prem 22.4 LTS and later) and CISA added CVE-2024-1709 to the KEV catalog. The incident is one of the canonical 2024 examples of supply-chain risk via MSP tooling, comparable in shape to the 2021 Kaseya VSA case.
Como se defender contra ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
As defesas contra ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) costumam combinar controles técnicos e práticas operacionais, conforme detalhado na definição acima.
Quais são outros nomes para ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
Nomes alternativos comuns: CVE-2024-1709, CVE-2024-1708, ScreenConnect SetupWizard bypass.
● Termos relacionados
- attacks№ 1234
Ataque à cadeia de fornecimento
Ataque que compromete um fornecedor de software, hardware ou serviços de confiança para alcançar os seus clientes a jusante.
- malware№ 1004
Ransomware
Malware que cifra os dados da vítima ou bloqueia sistemas e exige pagamento para restaurar o acesso.
- vulnerabilities№ 648
Ataque a cadeia de fornecimento do Kaseya VSA
Ataque de ransomware a cadeia de fornecimento em julho de 2021 em que o REvil explorou zero-days do Kaseya VSA para implantar ransomware em cerca de 1.500 organizacoes a jusante.
- vulnerabilities№ 194
CISA Known Exploited Vulnerabilities (KEV) Catalog
A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal.
- defense-ops№ 695
LockBit
Operacao russofona de ransomware-as-a-service que se tornou a marca de ransomware mais ativa entre 2022 e 2024, ate ser fortemente perturbada pela Operacao Cronos.
- vulnerabilities№ 142
Autenticação quebrada
Categoria de vulnerabilidades em que falhas de autenticação ou gestão de sessão permitem a um atacante personificar utilizadores legítimos ou assumir contas.