Unauthenticated Remote Code Execution in ConnectWise's ScreenConnect

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

12:30pm, 21 February 2024

TLP Rating: Clear

Unauthenticated Remote Code Execution in ConnectWise's ScreenConnect

ConnectWise ScreenConnect software for remote desktop and access has a critical vulnerability (CVE-2024-1709). This vulnerability could allow an unauthenticated attacker to remotely run arbitrary code without user interaction. This vulnerability is trivial to exploit and ConnectWise has confirmed active exploitation. CERT NZ recommends immediate patching.

Self-hosted and on-premises ScreenConnect servers require patching. ConnectWise has already patched Cloud ScreenConnect servers which are no-longer vulnerable.

What to look for

How to tell if you're at risk

You are vulnerable if you are running ScreenConnect version 23.9.7 or an earlier version. 

How to tell if you're affected

Detecting exploitation is difficult and requires configuring windows event logs prior to exploitation. The website Huntress has published detection guidance with more information on how to do this.

ConnectWise has published indicators of compromise in their security bulletin. 

See More Information, below, for links to Huntress and the ConnectWise bulletin.

What to do

Prevention

Patch your ScreenConnect to version 23.9.8 or later.

More information

ConnectWise advisory and security bulletins
ConnectWise ScreenConnect 23.9.8 security fix External Link
ConnectWise | Security Bulletins External Link

Huntress.com Detection Guidance for ConnectWise CWE-288
Detection Guidance for ConnectWise CWE-288 (huntress.com) External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident for IT specialists | CERT NZ External Link