May 7, 2024 By Douglas Bonderud 4 min read

On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.

While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for both CVEs.

Despite these updates, however, malicious actors aren’t giving up just yet, with reports of new attack vectors still coming in more than a month after the initial issue was detected. Here’s what enterprises need to know about these remote access risks.

Opportunity knocks: Attackers go all-in on ScreenConnect

The first round of attacks reported for ScreenConnect was tied to malware delivery. One week after the vulnerability was reported, however, persistent phishing campaigns were discovered that targeted both the healthcare industry and cryptocurrency users.

By February 27, ransomware groups such as Black Basta and Bl00dy began exploiting these vulnerabilities. The following week saw patches from ScreenConnect to address these evolving issues, and for several weeks the volume of attacks declined.

On March 27, however, new ScreenConnect threats emerged. Both Chinese threat group UNC5274 and Initial Access Brokers began using F5 BIG-IP (CVE-2023-46747) and the ScreenConnect vulnerabilities to actively exploit organizations.

Put simply, the ubiquity and usability of ScreenConnect made it an ideal compromise point for both money-driven and nation-state threat actors. Even with patches in place, the number of insecure systems remains high enough that attack vectors continue to evolve.

Understanding the ScreenConnect compromises

So, what exactly are the ScreenConnect vulnerabilities? Let’s take a look at each.

CVE-2024-1708

This vulnerability was assigned a CVSS 3.1 score of 8.4 out of 10. It affects ScreenConnect version 23.9.7 and all prior versions. It is a path traversal vulnerability that allows attackers to remotely execute code.

Specifically, it allows attackers to write files within the App_Exntensions root directory rather than confining them to their correct extension subdirectory. While this exploit was problematic, its impact was limited since it required administrative credentials. In combination with CVE-2024-1709, however, this vulnerability became much more worrisome.

CVE-2024-1709

This vulnerability was assigned a CVSS 3.1 score of 10 out of 10, marking it “critical.” It is an authentication bypass exploit that relies on the text-based nature of the SetupWizard.aspx file.

Due to an odd .Net functionality, it is possible to input invalid URL components after a legitimate URL path and still have this data passed along to the application. In practice, this means that attackers can request /SetupWizard.aspx/anything and they can gain access to the ScreenConnect setup wizard on any ScreenConnect instance, even those that are already configured.

Once attackers access the Setup Wizard welcome screen, all they need to do is click “Next.” Even if they do not complete the setup process, clicking Next will create a new user and delete all other local users. With full admin access, attackers can easily create and upload malicious extensions to gain Remote Code Execution (RCE) access.

Problems, patches and persistence

ScreenConnect helps companies manage, monitor and troubleshoot remote devices. For example, if an employee working from home experiences issues with their company-issued smartphone, ScreenConnect lets IT staff log in remotely to diagnose and fix the issue.

Used maliciously, however, this same process can provide attackers with access to virtually all connected devices on a corporate network, both local and remote. As noted above, while CVE-2024-1708 was problematic because it let attackers remotely execute malicious code, the vulnerability began gaining traction when hackers realized they could combine CVE-2024-1709 with 1708 to wipe user databases, create their own profiles and take full administrative access.

As a result, both vulnerabilities quickly became popular paths for attackers to gain remote access. Given the massive number of devices that now make up connected corporate networks, full access combined with the ability to overwrite existing user databases made exploiting these vulnerabilities a worthwhile endeavor for attackers.

Once both vulnerabilities were patched, attack volumes dropped, as evidenced by the lack of new threat vectors reported between the end of February and the end of March. Now, attacks are on the rise again as malicious actors target companies that haven’t applied the ScreenConnect patches. In addition, attackers are leveraging new CVEs to compromise remote connections and gain network access.

For example, Chinese groups UNC5714 and UNC5724 have been spotted using a combination of CVEs, including CVE-2023-46747, which targets the F5 BIG-IP service, and CVE-2024-1709 to attack both government and defense agencies. In other words, while the initial threat of ScreenConnect attacks has largely passed, the long-term impact remains a concern as new vulnerabilities are combined with existing exploits to create more sophisticated attacks.

Staying safe from remote access risks

For customers using the cloud-based version of ScreenConnect, patches were automatically applied. For enterprises using on-prem deployments, however, patching must be handled manually. This is critical because CVE-2024-1709 is easy to exploit, allowing attackers access before companies have time to react.

It’s also worth noting that while these vulnerabilities represent one type of significant security risk, they’re not the only emerging issue. Consider the rise of dual-track exploits, which use multiple attack vectors simultaneously to overwhelm network defenses, such as the combination of F5 BIG-IP and ScreenConnect CVEs. Keyword logging tools like BunnyLoader, meanwhile, are seeing improvements that boost performance by 90%, making it easier for attackers to find what they’re looking for once they compromise defenses. As a result, companies can benefit from patch management solutions that automatically identify and apply new patches to existing tools.

Given the changeable nature of security threats, however, post-problem patching isn’t enough in isolation. Instead, companies must deploy tools capable of identifying vulnerabilities before attackers can exploit them. It’s also worth pairing detection tools with vulnerability management solutions that continually discover, analyze and remediate potential vulnerabilities.

This triple-layer approach offers the best chance against remote access risks. Scanning tools identify risks, vulnerability management tools close the gaps and patch management processes ensure that defenses are automatically kept up-to-date.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today