CVE-2024-1709

CVE Database · CVE-2024-1709

CVE-2024-1709

· CRITICALAnalyzed

CVSS v3.1

10.0

EPSS

99.96%

Published

Feb 21, 2024

Modified

Feb 26, 2026

CISA Known Exploited Vulnerability

Added: 2024-02-22 · Due: 2024-02-29

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (7)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCW01fh4cker/ScreenConnect-AuthBypass-RCE★109 GitHub PoCHussainFathy/CVE-2024-1709★3 GitHub PoCsxyrxyy/CVE-2024-1709-ConnectWise-ScreenConnect-Authentication-Bypass★1 GitHub PoCcjybao/CVE-2024-1709-and-CVE-2024-1708★1 GitHub PoCAhmedMansour93/Event-ID-229-Rule-Name-SOC262-CVE-2024-1709-★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weaknesses (CWE)

CWE-288

Affected Products (1)

connectwise · screenconnect (up to 23.9.8)vulnerable

References (20)

https://github.com/rapid7/metasploit-framework/pull/18870

Issue TrackingPatchThird Party Advisory

https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc

ExploitThird Party Advisory

https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/

Press/Media CoverageThird Party Advisory

https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/

Press/Media CoverageThird Party Advisory

https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

KEV Catalog EPSS Scores Vendors All CVEs