ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)
Что такое ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours.
CVE-2024-1709 is a critical authentication-bypass flaw in ConnectWise ScreenConnect (now branded ConnectWise Control), a remote-monitoring-and-management product widely used by MSPs. Disclosed on 19 February 2024 alongside the related path-traversal CVE-2024-1708, it allowed an unauthenticated attacker to reach the SetupWizard endpoint on a fully configured server and create a new administrator account, achieving complete takeover. Because ScreenConnect servers are typically internet-exposed and hold persistent agent connections to thousands of endpoints across many customer organizations, a single compromised ScreenConnect server functioned as an instant multi-tenant initial-access broker. Mass exploitation began within hours of public disclosure: LockBit, Play, BlackBasta, BlackCat affiliates, several nation-state actors (Mandiant tracked at least UNC4537/Slip19), and commodity ransomware groups all weaponized the bug, hitting MSPs and downstream SMBs. ConnectWise released patches (23.9.8 / on-prem 22.4 LTS and later) and CISA added CVE-2024-1709 to the KEV catalog. The incident is one of the canonical 2024 examples of supply-chain risk via MSP tooling, comparable in shape to the 2021 Kaseya VSA case.
● Примеры
- 01
An MSP running ScreenConnect 23.9.7 internet-exposed on its perimeter is compromised within hours of CVE-2024-1709 disclosure; LockBit deploys ransomware to dozens of downstream customers via the existing RMM agents.
- 02
An SMB without its own SOC discovers it has been ransomware-encrypted because its MSP's ScreenConnect was unpatched the night after CVE-2024-1709 disclosure.
● Частые вопросы
Что такое ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours. Относится к категории Уязвимости в кибербезопасности.
Что означает ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
A February 2024 authentication-bypass (CVE-2024-1709, CVSS 10.0) and path-traversal (CVE-2024-1708, CVSS 8.4) in ConnectWise ScreenConnect that allowed unauthenticated administrative takeover of MSP-managed RMM servers, exploited en masse within hours.
Как работает ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
CVE-2024-1709 is a critical authentication-bypass flaw in ConnectWise ScreenConnect (now branded ConnectWise Control), a remote-monitoring-and-management product widely used by MSPs. Disclosed on 19 February 2024 alongside the related path-traversal CVE-2024-1708, it allowed an unauthenticated attacker to reach the SetupWizard endpoint on a fully configured server and create a new administrator account, achieving complete takeover. Because ScreenConnect servers are typically internet-exposed and hold persistent agent connections to thousands of endpoints across many customer organizations, a single compromised ScreenConnect server functioned as an instant multi-tenant initial-access broker. Mass exploitation began within hours of public disclosure: LockBit, Play, BlackBasta, BlackCat affiliates, several nation-state actors (Mandiant tracked at least UNC4537/Slip19), and commodity ransomware groups all weaponized the bug, hitting MSPs and downstream SMBs. ConnectWise released patches (23.9.8 / on-prem 22.4 LTS and later) and CISA added CVE-2024-1709 to the KEV catalog. The incident is one of the canonical 2024 examples of supply-chain risk via MSP tooling, comparable in shape to the 2021 Kaseya VSA case.
Как защититься от ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
Защита от ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708) обычно сочетает технические меры и операционные практики, как описано в определении выше.
Какие есть другие названия ConnectWise ScreenConnect (CVE-2024-1709 / CVE-2024-1708)?
Распространённые альтернативные названия: CVE-2024-1709, CVE-2024-1708, ScreenConnect SetupWizard bypass.
● Связанные термины
- attacks№ 1234
Атака на цепочку поставок
Атака, при которой компрометируется доверенный сторонний поставщик ПО, оборудования или услуг с целью добраться до его конечных клиентов.
- malware№ 1004
Программа-вымогатель
Вредоносное ПО, которое шифрует данные жертвы или блокирует системы и требует выкуп за восстановление доступа.
- vulnerabilities№ 648
Атака на цепочку поставок Kaseya VSA
Атака вымогателей через цепочку поставок в июле 2021 года: REvil использовала 0-day в Kaseya VSA, заразив около 1500 нижестоящих организаций.
- vulnerabilities№ 194
CISA Known Exploited Vulnerabilities (KEV) Catalog
A U.S. CISA-maintained list of CVEs with credible evidence of in-the-wild exploitation, paired with mandatory remediation deadlines for U.S. federal civilian agencies and widely used by enterprises as a priority signal.
- defense-ops№ 695
LockBit
Русскоязычная ransomware-as-a-service группа, ставшая в 2022—2024 годах самой плодовитой по числу жертв и серьёзно подорванная операцией Cronos.
- vulnerabilities№ 142
Нарушенная аутентификация
Категория уязвимостей, при которой дефекты аутентификации или управления сессиями позволяют атакующему выдавать себя за легитимных пользователей или захватывать аккаунты.