Keypoints
- Two critical vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709 and CVE-2024-1708) can be chained to obtain admin access and RCE.
- CVE-2024-1709 is exploited by sending a malformed HTTP request (e.g., appending characters to /SetupWizard.aspx) to gain unauthenticated access.
- The unauthenticated access allows attackers to create a new administrator account on vulnerable instances.
- Attackers upload a ZIP containing a malicious ASHX extension that exploits CVE-2024-1708 (path traversal/file upload) to execute code on the server.
- Successful exploitation can yield a remote web shell and further post-exploitation activity, including deployment of ToddlerShark malware using legitimate binaries and alternate data streams.
- On-premises ScreenConnect versions 23.9.7 and prior are affected; ConnectWise released fixes and cloud instances were patched by the vendor.
- Observed IOCs include specific attacker IP addresses reported by ConnectWise; defenders should apply patches and monitor for the listed indicators.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploited by sending a malformed HTTP request to the ScreenConnect instance to gain access: ‘The attack sequence begins by sending a malformed HTTP request to the vulnerable ScreenConnect instance.’
- [T1136] Create Account – Used to create an administrative user without authentication via the setup wizard: ‘The /SetupWizard.aspx page allows the attacker to create a new user account with administrator privileges… without requiring any authentication.’
- [T1203] Exploitation for Client Execution – A malicious ASHX extension inside a ZIP archive is uploaded to trigger remote code execution: ‘the attacker uploads a malicious ASHX ScreenConnect extension, packaged in a ZIP archive, to achieve RCE and later obtain a remote web shell.’
- [T1505.003] Web Shell – Post-exploitation includes obtaining a remote web shell after executing the uploaded payload: ‘to achieve RCE and later obtain a remote web shell.’
Indicators of Compromise
- [IP Address] ConnectWise-reported malicious infrastructure – 155.133.5.15, 155.133.5.14, 118.69.65.60
- [File names / extensions] Malicious upload artifacts observed – .ashx (malicious ScreenConnect extension), ZIP archive containing the ASHX payload
- [Configuration / files] Evidence of created accounts and config changes – ScreenConnectApp_DataUser.xml (attacker-created admin account)
- [Affected versions] Vulnerable software versions – ScreenConnect 23.9.7 and prior
To exploit ScreenConnect, attackers send a malformed HTTP request to the public-facing instance (for example by appending characters to /SetupWizard.aspx), which causes the application to redirect and expose the SetupWizard page. This unauthenticated access lets the attacker invoke the setup workflow and create a new administrator account on pre-configured or existing instances by posting crafted data to the setup endpoints.
With administrative access, the attacker uploads a malicious ScreenConnect extension packaged as a ZIP file containing an ASHX handler. The ASHX file leverages a path traversal/file-upload weakness (CVE-2024-1708) to place and execute server-side code, resulting in remote code execution. Execution of the payload can spawn a remote web shell, allowing persistent remote access and further lateral movement.
Post-exploitation activity observed included deployment of ToddlerShark, a polymorphic payload that abuses legitimate Microsoft binaries and alternate data streams to evade detection. Defenders should monitor for the listed IPs and artifact names, inspect ScreenConnect config/user files for unauthorized admin accounts, and upgrade on-prem deployments to the patched release to block the exploit chain.