WARNING: URGENT: ACTIVELY EXPLOITED CONNECTWISE SCREENCONNECT CVE-2024-1708 AND CVE-2024-1709 VULNERABILITIES - APPLY PATCH IMMEDIATELY!
CVE-2024-1708 :CVSS 8.4(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H)
CVE-2024-1709 :CVSS 10.0(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H)
Sources
https://www.connectwise.com/company/trust/security-bulletins/connectwise- ScreenConnect-23.9.8
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-1709
Risks
Vulnerabilities in ConnectWise ScreenConnect prior to version v23.9.8 allow a malicious attacker to gain administrator access on a ScreenConnect server. From here malicious attackers can use the ScreenConnect functionality to execute malicious code on all the connected systems. These vulnerabilities could lead to a complete compromise of your business.
The vulnerabilities CVE-2024-1708 and CVE-2024-1709 are currently being actively exploited, with multiple groups of ransomware actors attempting to take advantage of these weaknesses.
Both vulnerabilities are trivial to exploit, which makes them an appealing target for cybercriminals.
Description
CVE-2024-1709 - Authentication Bypass
Attackers can bypass authentication granting them administrator access to the server. This enables attackers to effortlessly take control of the ScreenConnect server.
CVE-2024-1708 - Path Traversal
Attackers can abuse a path traversal vulnerability to write files to the ScreenConnect server. This vulnerability could be used to upload malicious code to a vulnerable server.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. Update Self-
hosted instances of ScreenConnect serve tor version 23.9.8 or later immediately!
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion. Indicators and hunting rules can be found in the references below.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the- ScreenConnect-authentication-bypass
https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe- 288-2
https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708- cve-2024-1709/
https://www.bleepingcomputer.com/news/security/ScreenConnect-critical- bug-now-under-attack-as-exploit-code-emerges