CVE-2024-1709

Description

ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel

vulnerability, which may allow an attacker direct access to confidential information or

critical systems.

Add Assessment

sfewer-r7 (129)

February 22, 2024 4:54pm UTC (9 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration

Technical Analysis

Based on writing the Metasploit exploit module for this vulnerability, I have rated the exploitability as very high, as leveraging CVE-2203-1709 to create a new administrator account is trivial. To leverage the vulnerability to get RCE requires more steps, but it is not that complex and exploitation appears reliable. The attacker value for this vulnerability is also very high given the nature of the target software.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

10.0 Critical

Impact Score:

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Changed

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

connectwise

Products

screenconnect

Metasploit Modules

exploit/multi/http/connectwise_screenconnect_rce_cve_2024_1709 (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709.rb)

Exploited in the Wild

Reported by:

cbeek-r7 indicated sources as

Vendor Advisory (https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8)
News Article or Blog
Personally observed in an environment (https://www.rapid7.com/blog/post/2024/02/20/etr-high-risk-vulnerabilities-in-connectwise-screenconnect/)

Reported: February 22, 2024 11:19am UTC (9 months ago)

inokii indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/02/22/cisa-adds-one-known-exploited-vulnerability-catalog)

Reported: February 22, 2024 10:26pm UTC (9 months ago)

ccondon-r7 indicated source as Other: Rapid7 MDR has observed successful exploitation of this vulnerability in customer environments

Reported: September 26, 2024 1:58pm UTC (2 months ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/02/22/cisa-adds-one-known-exploited-vulnerability-catalog)

Reported: November 08, 2024 8:28am UTC (1 month ago)

References

Canonical

CVE-2024-1709 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1709)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

ScreenConnect-AuthBypass-RCE (https://github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE) (Added by AKB Worker)

CVE-2024-1709 (https://github.com/HussainFathy/CVE-2024-1709) (Added by AKB Worker)

Mass-CVE-2024-1709 (https://github.com/AMRICHASFUCK/Mass-CVE-2024-1709) (Added by AKB Worker)