CVE-2024-1709

CVE-2024-1709 is a critical-severity vulnerability in Connectwise Screenconnect with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-02-22). The underlying weakness is classified as CWE-288.

Key facts

Description

ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.

CVE-2024-1709: Critical Authentication Bypass in ConnectWise ScreenConnect

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2024-1709
Severity CRITICAL (CVSS 3.1: 10.0)
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE CWE-288 — Authentication Bypass Using an Alternate Path or Channel
EPSS 0.99959 (99.74th percentile)
KEV Listed 2024-02-22
EU Exploited Yes, since 2024-02-22

Summary

ConnectWise ScreenConnect 23.9.7 and earlier versions contain an authentication bypass vulnerability (CWE-288) that enables unauthenticated remote attackers to circumvent authentication mechanisms and gain unauthorized access to the application. With a CVSS 3.1 score of 10.0, this flaw is network-exploitable with low complexity, requires no privileges or user interaction, and can affect resources beyond the vulnerable component's security scope.

Background

ConnectWise ScreenConnect is a widely deployed remote access and support platform used by MSPs and enterprise IT teams to manage endpoints. The product's exposure to the internet makes authentication flaws especially dangerous, as successful bypass can grant an attacker full remote-control capabilities over managed endpoints.

Root Cause

The vulnerability is classified under CWE-288: Authentication Bypass Using an Alternate Path or Channel. The ScreenConnect application failed to enforce proper authentication checks on specific code paths, allowing requests to reach privileged functionality without valid credentials. This created an alternate route to administrative interfaces that bypassed the intended login flow entirely.

Impact

The CVSS 3.1 metrics reflect catastrophic potential:

  • Attack Vector (AV:N): Exploitable over the network.
  • Attack Complexity (AC:L): Low complexity — no special conditions required.
  • Privileges Required (PR:N): No authentication needed.
  • User Interaction (UI:N): None required.
  • Scope (S:C): Changed — the vulnerable component can impact resources outside its own security scope.
  • Confidentiality, Integrity, Availability (C:H/I:H/A:H): Complete compromise is possible.

Successful exploitation can lead to unauthorized access to confidential information, system takeover, lateral movement, and deployment of ransomware or remote-access tools across the managed fleet.

Exploitation Walkthrough

Ethics caveat: This section describes the vulnerability mechanism at a defensive level. No weaponized exploit code is provided. Security practitioners should use this understanding to prioritize patching and detection, not to attack systems without authorization.

The flaw stems from an unauthenticated endpoint or code path that permits administrative actions — such as creating a new administrator account — without presenting valid credentials. Attackers can send crafted HTTP requests to the affected ScreenConnect instance to register a privileged user directly. Once an attacker-controlled account exists, they can log in through the normal UI and obtain full remote-control access to all connected endpoints.

Because the attack is HTTP-based and requires no pre-existing access, mass internet scanning and automated exploitation began rapidly after public disclosure.

Affected and Patched Versions

  • Affected: ConnectWise ScreenConnect 23.9.7 and prior
  • Patched: According to the vendor security bulletin, upgrade to version 23.9.8 or later

Remediation

  1. Upgrade immediately to ConnectWise ScreenConnect 23.9.8 or later. Given active exploitation (KEV-listed since 2024-02-22), patching should be treated as an emergency-change priority.
  2. Compensating controls: If immediate patching is not possible, restrict network access to ScreenConnect to trusted IP ranges via VPN or firewall rules; disable internet-facing exposure until the patch is applied.
  3. Credential review: After patching, rotate all local ScreenConnect admin credentials and review connected endpoints for unauthorized persistence.
  4. Review logs: Inspect access logs for anomalous account-creation events and unexpected authentication successes.

Detection

  • Monitor ScreenConnect application logs for unauthorized account-creation events and authentication anomalies.
  • Network detection: look for unexpected POST requests to authentication or user-management endpoints from external IPs.
  • Endpoint detection: hunt for new local administrator accounts or remote-session activity that does not correlate with known IT procedures.
  • Reference the detection guidance published by Huntress for IOCs and log-analysis queries.

Assessment

This CVE carries an EPSS score of 0.99959, placing it in the top tier of observed exploitation probability. Its inclusion in the CISA KEV catalog and EU exploited-vulnerability database confirms that threat actors have weaponized it in the wild. The combination of a perfect CVSS 3.1 score, trivial exploitability, and a high-value target platform (remote-administration software) makes this one of the highest-priority patches for any organization running ScreenConnect.

Key lessons:

  1. Remote-access and RMM tools are high-value targets; any authentication flaw in them should be treated as a critical incident.
  2. Low-complexity, unauthenticated bypasses in internet-facing applications are almost guaranteed to be mass-exploited within hours of disclosure.

References

Frequently asked questions

What is CVE-2024-1709?
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
How severe is CVE-2024-1709?
CVE-2024-1709 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-1709 being actively exploited?
Yes. CVE-2024-1709 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-02-22, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-1709?
CVE-2024-1709 affects Connectwise Screenconnect. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-1709?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-1709 have an EU (EUVD) identifier?
Yes. CVE-2024-1709 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-17443. It is also flagged as exploited in the EUVD (since 2024-02-22).
When was CVE-2024-1709 published?
CVE-2024-1709 was published on 2024-02-21 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Connectwise Screenconnect

All CVEs affecting Connectwise Screenconnect →

Other CWE-288 vulnerabilities

Browse all CWE-288 vulnerabilities →