CVE-2024-1709
CVE-2024-1709 is a critical-severity vulnerability in Connectwise Screenconnect with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-02-22). The underlying weakness is classified as CWE-288.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-02-22)
- EU (EUVD) id: EUVD-2024-17443
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-02-22)
- Weakness: CWE-288
- Affected product: Connectwise Screenconnect
- Published:
- Last modified:
Description
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
CVE-2024-1709: Critical Authentication Bypass in ConnectWise ScreenConnect
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-1709 |
| Severity | CRITICAL (CVSS 3.1: 10.0) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-288 — Authentication Bypass Using an Alternate Path or Channel |
| EPSS | 0.99959 (99.74th percentile) |
| KEV | Listed 2024-02-22 |
| EU Exploited | Yes, since 2024-02-22 |
Summary
ConnectWise ScreenConnect 23.9.7 and earlier versions contain an authentication bypass vulnerability (CWE-288) that enables unauthenticated remote attackers to circumvent authentication mechanisms and gain unauthorized access to the application. With a CVSS 3.1 score of 10.0, this flaw is network-exploitable with low complexity, requires no privileges or user interaction, and can affect resources beyond the vulnerable component's security scope.
Background
ConnectWise ScreenConnect is a widely deployed remote access and support platform used by MSPs and enterprise IT teams to manage endpoints. The product's exposure to the internet makes authentication flaws especially dangerous, as successful bypass can grant an attacker full remote-control capabilities over managed endpoints.
Root Cause
The vulnerability is classified under CWE-288: Authentication Bypass Using an Alternate Path or Channel. The ScreenConnect application failed to enforce proper authentication checks on specific code paths, allowing requests to reach privileged functionality without valid credentials. This created an alternate route to administrative interfaces that bypassed the intended login flow entirely.
Impact
The CVSS 3.1 metrics reflect catastrophic potential:
- Attack Vector (AV:N): Exploitable over the network.
- Attack Complexity (AC:L): Low complexity — no special conditions required.
- Privileges Required (PR:N): No authentication needed.
- User Interaction (UI:N): None required.
- Scope (S:C): Changed — the vulnerable component can impact resources outside its own security scope.
- Confidentiality, Integrity, Availability (C:H/I:H/A:H): Complete compromise is possible.
Successful exploitation can lead to unauthorized access to confidential information, system takeover, lateral movement, and deployment of ransomware or remote-access tools across the managed fleet.
Exploitation Walkthrough
Ethics caveat: This section describes the vulnerability mechanism at a defensive level. No weaponized exploit code is provided. Security practitioners should use this understanding to prioritize patching and detection, not to attack systems without authorization.
The flaw stems from an unauthenticated endpoint or code path that permits administrative actions — such as creating a new administrator account — without presenting valid credentials. Attackers can send crafted HTTP requests to the affected ScreenConnect instance to register a privileged user directly. Once an attacker-controlled account exists, they can log in through the normal UI and obtain full remote-control access to all connected endpoints.
Because the attack is HTTP-based and requires no pre-existing access, mass internet scanning and automated exploitation began rapidly after public disclosure.
Affected and Patched Versions
- Affected: ConnectWise ScreenConnect 23.9.7 and prior
- Patched: According to the vendor security bulletin, upgrade to version 23.9.8 or later
Remediation
- Upgrade immediately to ConnectWise ScreenConnect 23.9.8 or later. Given active exploitation (KEV-listed since 2024-02-22), patching should be treated as an emergency-change priority.
- Compensating controls: If immediate patching is not possible, restrict network access to ScreenConnect to trusted IP ranges via VPN or firewall rules; disable internet-facing exposure until the patch is applied.
- Credential review: After patching, rotate all local ScreenConnect admin credentials and review connected endpoints for unauthorized persistence.
- Review logs: Inspect access logs for anomalous account-creation events and unexpected authentication successes.
Detection
- Monitor ScreenConnect application logs for unauthorized account-creation events and authentication anomalies.
- Network detection: look for unexpected POST requests to authentication or user-management endpoints from external IPs.
- Endpoint detection: hunt for new local administrator accounts or remote-session activity that does not correlate with known IT procedures.
- Reference the detection guidance published by Huntress for IOCs and log-analysis queries.
Assessment
This CVE carries an EPSS score of 0.99959, placing it in the top tier of observed exploitation probability. Its inclusion in the CISA KEV catalog and EU exploited-vulnerability database confirms that threat actors have weaponized it in the wild. The combination of a perfect CVSS 3.1 score, trivial exploitability, and a high-value target platform (remote-administration software) makes this one of the highest-priority patches for any organization running ScreenConnect.
Key lessons:
- Remote-access and RMM tools are high-value targets; any authentication flaw in them should be treated as a critical incident.
- Low-complexity, unauthenticated bypasses in internet-facing applications are almost guaranteed to be mass-exploited within hours of disclosure.
References
- https://github.com/rapid7/metasploit-framework/pull/18870
- https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
- https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/
- https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
- https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
- https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8
- https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1709
Frequently asked questions
- What is CVE-2024-1709?
- ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
- How severe is CVE-2024-1709?
- CVE-2024-1709 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-1709 being actively exploited?
- Yes. CVE-2024-1709 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-02-22, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-1709?
- CVE-2024-1709 affects Connectwise Screenconnect. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-1709?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-1709 have an EU (EUVD) identifier?
- Yes. CVE-2024-1709 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-17443. It is also flagged as exploited in the EUVD (since 2024-02-22).
- When was CVE-2024-1709 published?
- CVE-2024-1709 was published on 2024-02-21 and last updated on 2026-06-17.
References
- https://github.com/rapid7/metasploit-framework/pull/18870
- https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
- https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/
- https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
- https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
- https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8
- https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1709
Affected products (1)
- cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:*
More vulnerabilities in Connectwise Screenconnect
- CVE-2025-14265 — Critical (CVSS 9.1): In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension…
- CVE-2024-1708 — High (CVSS 8.4): ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker…
- CVE-2025-3935 — High (CVSS 8.1): ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web…
- CVE-2023-47257 — High (CVSS 8.1): ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution via…
- CVE-2023-47256 — Medium (CVSS 5.5): ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of…
- CVE-2025-14823 — Medium (CVSS 5.3): In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an…
All CVEs affecting Connectwise Screenconnect →
Other CWE-288 vulnerabilities
- CVE-2026-53622 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's…
- CVE-2026-48491 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in…
- CVE-2026-48020 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity…
- CVE-2026-20079 — Critical (CVSS 10.0): A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an…
- CVE-2024-10081 — Critical (CVSS 10.0): CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy.…
- CVE-2024-2973 — Critical (CVSS 10.0): An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or…