Exploitation for Priv-Esc × ConnectWise ScreenConnect

A publicly-reported instance of Exploitation for Priv-Esc bypassing ConnectWise ScreenConnect, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

ConnectWise ScreenConnect

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2024-03-01

Config / version noted

Not stated

Provenance

www.scworld.com
disclosed 2024-03-01 · original source · via raw

Reported as

CVE-2024-1709 is an authentication bypass that lets attackers create an admin account on ScreenConnect without credentials

Mechanism

CVE-2024-1709 is an authentication bypass that lets attackers create an admin account on ScreenConnect without credentials, effectively giving them a 'master key' to the system. This admin access enables remote code execution, deployment of ransomware payloads, and lateral movement. It defeats the authentication mechanism of the remote management tool.

Detection & mitigation

Monitor ScreenConnect logs for unexpected admin user creation or authentication from unknown IPs. Deploy EDR to detect and block ransomware execution; apply the vendor patch immediately.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security CrowdStrike Elastic ESET F5 Fortinet Google HitmanPro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.