CVE-2024-1709 – CVE-2024-1709 is an authentication bypass vulne... (How to Fix)

Q: What is the severity of CVE-2024-1709?

CVE-2024-1709 has a CVSS score of 10.0 (CRITICAL). CVE-2024-1709 is an authentication bypass vulnerability in ConnectWise ScreenConnect that allows attackers to access administrative functions without valid credentials. This affects all organizations using ScreenConnect versions 23.9.7 and earlier. Attackers can create new administrative accounts and gain full control of affected systems.

📋 TL;DR

CVE-2024-1709 is an authentication bypass vulnerability in ConnectWise ScreenConnect that allows attackers to access administrative functions without valid credentials. This affects all organizations using ScreenConnect versions 23.9.7 and earlier. Attackers can create new administrative accounts and gain full control of affected systems.

💻 Affected Systems

Products:

ConnectWise ScreenConnect

Versions: 23.9.7 and prior versions

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments are vulnerable regardless of configuration. Cloud-hosted instances were patched by ConnectWise.

📦 What is this software?

Screenconnect by Connectwise

View all CVEs affecting Screenconnect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of ScreenConnect server leading to ransomware deployment, data exfiltration, and lateral movement into connected networks.

🟠

Likely Case

Attackers create backdoor admin accounts, install malware, and steal sensitive data from connected systems.

🟢

If Mitigated

Limited impact if system is isolated, monitored, and has additional authentication layers, though risk remains high due to auth bypass.

🌐 Internet-Facing: HIGH - Publicly accessible instances are actively being exploited and can be compromised in minutes.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require network access; risk increases if attacker gains internal foothold.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public proof-of-concept exploits exist and are being actively used in attacks. Exploitation requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 23.9.8 or later

Vendor Advisory: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

Restart Required: Yes

Instructions:

1. Download ScreenConnect 23.9.8+ from ConnectWise portal. 2. Backup current installation. 3. Run installer as administrator. 4. Restart ScreenConnect service. 5. Verify version in web interface.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to ScreenConnect server using firewall rules

# Windows: netsh advfirewall firewall add rule name="Block ScreenConnect" dir=in action=block protocol=TCP localport=8040,8041,8042
# Linux: iptables -A INPUT -p tcp --dport 8040:8042 -j DROP

IP Allowlisting

all

Only allow trusted IP addresses to access ScreenConnect

# Windows: netsh advfirewall firewall add rule name="Allow ScreenConnect" dir=in action=allow protocol=TCP localport=8040,8041,8042 remoteip=192.168.1.0/24
# Linux: iptables -A INPUT -p tcp --dport 8040:8042 -s 192.168.1.0/24 -j ACCEPT

🧯 If You Can't Patch

Immediately take ScreenConnect servers offline or disconnect from network
Implement strict network segmentation and monitor for suspicious authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check ScreenConnect version in web interface under Setup → About. If version is 23.9.7 or lower, system is vulnerable.

Check Version:

# PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*ScreenConnect*"} | Select-Object Name, Version

Verify Fix Applied:

Verify version shows 23.9.8 or higher in web interface. Test authentication by attempting to access administrative functions without valid credentials.

📡 Detection & Monitoring

Log Indicators:

Unexpected admin user creation
Failed authentication attempts followed by successful access
Access from unusual IP addresses to administrative endpoints

Network Indicators:

HTTP POST requests to /SetupWizard.aspx or /Administration/* endpoints from unauthorized sources
Traffic to ScreenConnect default ports (8040-8042) from unexpected locations

SIEM Query:

source="screenconnect.log" AND (event="UserCreated" OR uri_path="/SetupWizard*" OR status_code=200 AND auth_failure=1)

📊 Metadata

CVE ID: CVE-2024-1709

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-288

Published: February 21, 2024

Last Updated: February 26, 2026

🔗 References

https://github.com/rapid7/metasploit-framework/pull/18870 Issue Tracking,Patch,Third Party Advisory
https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc Exploit,Third Party Advisory
https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/ Press/Media Coverage,Third Party Advisory
https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/ Press/Media Coverage,Third Party Advisory
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 Vendor Advisory
https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/ Third Party Advisory
https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass Exploit,Third Party Advisory
https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 Exploit,Third Party Advisory
https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8 Third Party Advisory
https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/ Press/Media Coverage,Third Party Advisory
https://github.com/rapid7/metasploit-framework/pull/18870 Issue Tracking,Patch,Third Party Advisory
https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc Exploit,Third Party Advisory
https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/ Press/Media Coverage,Third Party Advisory
https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/ Press/Media Coverage,Third Party Advisory
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 Vendor Advisory
https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/ Third Party Advisory
https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass Exploit,Third Party Advisory
https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 Exploit,Third Party Advisory
https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8 Third Party Advisory
https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/ Press/Media Coverage,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1709 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1709, you might also want to check these: