ConnectWise ScreenConnect Bug Added to Known Exploited Vulnerabilities Catalog

US Cybersecurity and Infrastructure Security Agency (CISA) has recently added a new vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, tracked as CVE-2024-1709, affects ConnectWise ScreenConnect versions 23.9.7 and earlier and allows attackers to create new administrator-level accounts on affected devices.

If an attacker has network access to the management interface, they can exploit this vulnerability. This poses a significant risk to businesses and organizations that use ConnectWise ScreenConnect.

CISA has provided the following remediation measures in its advisory:

Cloud: No action is required for ScreenConnect servers hosted on "" or "" These servers have been updated to fix the issue.

On-Premise: Self-hosted or on-premise ScreenConnect partners must update their servers to version 23.9.8 immediately to apply the necessary patch.

Huntress, a cybersecurity research firm, has published a technical analysis of the ConnectWise vulnerability. They claim that the issue is already actively exploited in attacks in the wild, and they have recreated the exploit and attack chain. Huntress researchers claim that the exploitation of this vulnerability is trivial and embarrassingly easy.

They have also created a video proof of concept (PoC) of the exploit, which demonstrates the simple authentication bypass and shows how to achieve remote code execution. Huntress has concluded that the vulnerability's public details should not have been released until there had been adequate time for the industry to patch.

This is because threat actors could potentially use the information to exploit vulnerable systems. CISA is aware that this vulnerability is exploited in ransomware attacks. Sophos researchers have also confirmed this, noting that they have observed several LockBit attacks exploiting the vulnerability in the past 24 hours.

CISA has ordered federal agencies to fix these vulnerabilities by February 29, 2024. Experts recommend that private organizations review the KEV catalog and address the vulnerabilities in their infrastructure.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities requires FCEB agencies to address identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Read more