CVE-2024-1709: 
ScreenConnect Server vulnerability analysis and mitigation

CVE-2024-1709 is a critical authentication bypass vulnerability affecting ConnectWise ScreenConnect versions 23.9.7 and prior. The vulnerability was discovered on February 13, 2024, and publicly disclosed on February 19, 2024. This flaw allows attackers to bypass authentication using an alternate path or channel, potentially gaining direct access to confidential information or critical systems. The vulnerability has received the highest possible CVSS score of 10.0 (ConnectWise Advisory, Huntress Analysis).

The vulnerability stems from a flaw in how the SetupWizard.aspx authentication mechanism handles URL paths. By adding a trailing slash to the SetupWizard.aspx URL path, attackers can bypass the security check that prevents access to the setup wizard after initial configuration. This allows unauthorized access to create new administrative accounts and potentially achieve remote code execution through the platform's extension functionality. The vulnerability is described as 'trivial and embarrassingly easy' to exploit, requiring minimal technical knowledge (Horizon3 Analysis, TechCrunch Report).

The vulnerability enables attackers to gain unauthorized administrative access to ScreenConnect servers, potentially affecting over 8,800 exposed servers. Once compromised, attackers can access confidential data, execute arbitrary code with SYSTEM privileges, and maintain persistent access to affected systems. The impact is particularly severe as ScreenConnect is widely used by managed service providers to support numerous downstream customers (Huntress Report).

ConnectWise has released version 23.9.8 to patch the vulnerability. Cloud-hosted instances on screenconnect.com and hostedrmm.com have been automatically updated. On-premise users must immediately update to version 23.9.8 or later. For users without active maintenance, ConnectWise has provided version 22.4.20001 as a minimum patched version. The company has also implemented additional mitigation steps, including suspending instances running vulnerable versions (ConnectWise Advisory).

The cybersecurity community has responded with urgency to this vulnerability. CISA added CVE-2024-1709 to its Known Exploited Vulnerabilities (KEV) catalog on February 22, 2024, with a remediation deadline of February 29, 2024. Security researchers and industry experts have emphasized the critical nature of the vulnerability, with Huntress CEO describing it as 'bad' and warning of a potential 'ransomware free-for-all' (TechCrunch Report).