10

CVE-2024-1709

Warnung

Medienbericht

Exploit

EPSS 94.32%
Veröffentlicht 21.02.2024 16:15:50
Zuletzt bearbeitet 26.02.2026 15:04:18
Quelle 9119a7d8-5eab-497f-8521-727c67
CVE-Watchlists
Login
Unerledigt
Login

ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel

 vulnerability, which may allow an attacker direct access to confidential information or 

critical systems.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 14

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Connectwise ≫ Screenconnect Version < 23.9.8

22.02.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

ConnectWise ScreenConnect Authentication Bypass Vulnerability

Schwachstelle

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.32%	0.999

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9119a7d8-5eab-497f-8521-727c672e3725	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

Vendor Advisory

https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass

Third Party Advisory

Exploit

https://github.com/rapid7/metasploit-framework/pull/18870

Patch

Third Party Advisory

Issue Tracking

https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc

Third Party Advisory

Exploit

https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/

Third Party Advisory

Press/Media Coverage

https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/

Third Party Advisory

Press/Media Coverage

https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/

Third Party Advisory

https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2

Third Party Advisory

Exploit

https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8

Third Party Advisory

https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/

Third Party Advisory

Press/Media Coverage

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1709

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2024-1709

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1709

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1709

EUVD