The threat landscape has shifted.
See what MSPs need to know in 2026. Download Now
Back to blog

Cyber Threat Alert: Severe Vulnerability in ConnectWise ScreenConnect Exploited

A person in a hooded sweatshirt types on a laptop at a desk. The scene is surrounded by digital icons such as skulls, insects, and binary code, suggesting cyber threats and vulnerabilities. The color scheme is predominantly pink and black, reminiscent of ConnectWise ScreenConnects interface.
In This Article

What happened?

Two critical vulnerabilities in ConnectWise ScreenConnect servers, version 23.9.7 and earlier, have been disclosed by the vendor last week. Yesterday, 02/21/2024, the technical details and proof-of-concept exploitation of those vulnerabilities were published, too. ConnectWise confirmed earlier that the vulnerabilities are already exploited “in the wild” by malicious hackers.

The first flaw, CVE-2024-1708, is an authentication bypass in ScreenConnect’s setup wizard, possibly allowing users to access the setup wizard even when ScreenConnect had already been set up and set up an (additional) admin account. The second vulnerability, CVE-2024-1709, is a path traversal flaw through which an attacker can manipulate sensitive .xml files through crafted requests. When those requests contain directory traversal sequences, the attacker can navigate into the file system and eventually upload a malicious script or executable file outside the intended subdirectory used by ScreenConnect.

What is the risk?

Unpatched versions of ScreenConnect are now highly vulnerable to targeted attacks, as an exploit POC for those vulnerabilities is available publicly. Such attacks might result in a wide range of impact, from data theft to system compromise or installation of highly persistent tools.

What should MSPs do now?

As per ConnectWise’s official bulletin, users of on-premise ScreenConnect must update their version to 23.9.8.

Cloud users who access ScreenConnect servers hosted in “screenconnect.com” or “hostedrmm.com” should not take any action as the version has been automatically updated.

As the vulnerability occurs in the “SetupWizard.aspx” file (located in ScreenConnect’s program files), which is unnecessary after any setup or update, users should consider deleting the file.

All ScreenConnect server users who have been using the vulnerable versions are advised to investigate possible connections to IP addresses that were used by attackers to exploit the vulnerabilities and keep an eye out for additional intelligence and indicators (see below).

Indicators of Compromise (IOCs)

IOCTypeDescriptionSource
155.133.5.15IPUsed by unspecified attackers to exploit the ScreenConnect critical vulnerabilitiesConnectWise official security bulletin 2024-02-20
155.133.5.14IP
118.69.65.60IP

 If you have any questions or concerns, please feel free to reach out to [email protected].

Categories:
Guardz News
Dark Web
  • Share On:

Subscribe to
Our Newsletter.

Continue Reading

A digital dashboard shows a list of users, with one dormant hybrid account highlighted in red and marked with an error icon. A callout reads “MFA not registered.” The background is dark with geometric patterns.

Uncovering a Dormant Hybrid

Beyond News
A digital diagram showing a central IP address connecting to various icons labeled Key Vault, Storage Account, Graph, and API—demonstrating Azure Managed Identity usage—with warning symbols near the API. Research Insights is highlighted at the top left.

Exploiting Azure Managed Identity Tokens from IMDS

Cyber Security
MSP
Logos of Guardz and C-Data are shown side by side with a plus sign between them, on a dark background with green circuit-like lines, highlighting a partnership in cybersecurity solutions for MSPs.

Guardz and C-Data Partner to Bring Scalable Cybersecurity to MSPs Serving the SMB Market

Cyber Security
MSP
A person in a futuristic chair sits at a high-tech control panel, looking out at a starry space scene with planets and mountains. The dashboard glows with colorful buttons and screens, like the perfect single post template for exploring new worlds.

Guardz, Your Cybersecurity
Co-Pilot for MSPs

Demonstrate the value you bring to the table as an MSP and gain visibility into your clients’ external postures.

Get Started
Holistic Protection.
Hassle-Free.
Cost-Effective.
Get Started
Book a Demo
Slack
Slack
Chat with us No Slack account needed.