Updated:
Status:
CVEs:
Fortra is investigating two vulnerabilities in ConnectWise ScreenConnect – CVE-2024-1708 and CVE-2024-1709 – which are being actively exploited in the wild. These vulnerabilities can allow an attacker to execute remote code or directly impact confidential data or critical systems. Customers using any on-premise version of ScreenConnect below 23.9.8 are recommended to update immediately.
Who is affected?
All versions of ScreenConnect below 23.9.8 are vulnerable to CVE-2024-1708 and CVE-2024-1709.
What can I do?
For on-premise instances of ScreenConnect, customers should immediately update to version 23.9.8 or higher. Cloud instances of ScreenConnect have been automatically updated, and no additional action is required.
For more information about the fix released on version 23.9.8, refer to the ConnectWise security bulletin.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities in addition to those listed below.
Alert Logic Log Management: Alert Logic has deployed and is actively monitoring log telemetry related to known IOCs.
Alert Logic Network IDS: Alert Logic has released IDS telemetry signatures to aid in detection research.
Alert Logic Vulnerability Scanning: Alert Logic has released unauthenticated scan coverage to detect vulnerable instances. If these vulnerabilities are found, exposures (EID: 254892 and 254938) will be raised for CVE-2024-1708 and CVE-2024-1709.
Core Impact: On March 13, 2024, "ConnectWise ScreenConnect Authentication Bypass RCE Exploit" was delivered to Core Impact customers - CVE-2024-1709 CVSS 10.0 Critical. An identified vulnerability in ScreenConnect allows attackers to bypass string comparison in the request path and access the setup wizard ("/SetupWizard.aspx") on configured instances. Exploiting this vulnerability enables an attacker to create an administrative user and upload a malicious ScreenConnect extension, leading to remote code execution (RCE) on the server. This release was tested against ScreenConnect_23.8.6.8735.
Fortra VM: Fortra VM released a new unauthenticated check on March 8, 2024, for CVE-2024-1709 and CVE-2024-1708: ConnectWise ScreenConnect Setup Wizard Authentication Bypass (158777) via Network Scanner 4.37.0.
Tripwire: Tripwire released unauthenticated scan coverage on February 28, 2024, to identify vulnerable instances. If the vulnerabilities are found, vulnerability 608020 will match for CVE-2024-1709 and vulnerability 608021 will match for CVE-2024-1708.
Updates
Fortra has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Fortra coverage as it becomes available.
