TP-EXP-2024-0006 CVE-2024-1708 high Patched AI Draft

ConnectWise ScreenConnect Path Traversal — Authentication Bypass via Directory Traversal (CVE-2024-1708)

CVE CVE-2024-1708 Platform ConnectWise ScreenConnect < 23.9.8 Type Path Traversal

Severity HIGH

Status Patched

Zero-Day Confirmed

Disclosed February 19, 2024

Patched February 21, 2024

Researcher ConnectWise (internal) CISA KEV Listed

Severity Assessment

Exploitability: 8.5/10 — Network-accessible path traversal; when chained with CVE-2024-1709 (CVSS 10.0) enables unauthenticated code execution; public PoC available within hours of disclosure
Impact: 8.5/10 — Full server compromise enabling access to all managed remote endpoints via ScreenConnect’s agent infrastructure
Weaponization Risk: 9/10 — Immediately weaponized by ransomware operators and nation-state actors; mass exploitation observed within 48 hours of disclosure
Patch Urgency: 9.5/10 — CISA KEV listed; federal mandatory remediation; MSP-hosted ScreenConnect servers provide broad access to downstream customer networks
Detection Coverage: 5/10 — Exploitation traffic blends with normal ScreenConnect HTTPS sessions; server-side artifact creation detectable but requires host-based monitoring

Summary

CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect versions prior to 23.9.8 that allows authenticated attackers (or unauthenticated attackers when chained with CVE-2024-1709) to read and write files outside the intended web application directory. The vulnerability stems from insufficient validation of file path inputs in the ScreenConnect web application, permitting ../ sequences to escape the application root.

ConnectWise disclosed both CVE-2024-1708 and the companion authentication bypass CVE-2024-1709 (CVSS 10.0) on February 19, 2024, issuing emergency patches in version 23.9.8. CISA added both CVEs to the KEV catalog on February 22, 2024, mandating federal agency remediation. Within 48 hours of disclosure, ransomware groups, nation-state actors, and commodity threat actors had weaponized the vulnerability chain, targeting managed service providers (MSPs) and enterprises using ScreenConnect as their remote access platform. A compromised ScreenConnect server grants attackers trusted access to all endpoints managed via the platform, making this vulnerability particularly damaging for MSPs with broad customer footprints.

Remediating organizations should immediately upgrade all on-premises ScreenConnect installations to version 23.9.8 or later. No workaround exists — the vulnerability chain must be patched. If patching is not immediately possible, the ScreenConnect server should be taken offline or isolated from external access. After patching, audit the App_Extensions and App_Web_* directories for unauthorized ASPX or DLL files and rotate all administrative credentials.

Exploit Chain

Reconnaissance Attackers identify internet-facing ConnectWise ScreenConnect instances via Shodan or Censys scanning for ScreenConnect banners on default management ports (8040/8041).

Authentication Bypass — CVE-2024-1709 In the most dangerous exploit chain, CVE-2024-1709 is triggered first to bypass the ScreenConnect setup wizard authentication check, granting attacker-controlled administrative access without valid credentials by sending a crafted POST to /SetupWizard.aspx/..%2fAdministration.

Path Traversal — CVE-2024-1708 With administrative context established, CVE-2024-1708 enables path traversal via unsanitized file path parameters, allowing writes to arbitrary server filesystem locations outside the application web root using sequences such as /transfer/../../App_Extensions/.

Malicious Extension Deployment Attackers write a malicious ASPX file to the App_Extensions directory. ScreenConnect auto-loads extension DLLs from this directory, executing the attacker’s code within the application server context — typically as SYSTEM or NT AUTHORITY\NETWORK SERVICE.

Remote Code Execution and Persistence The deployed ASPX web shell or malicious extension provides interactive remote code execution. Attackers establish persistence via web shells, scheduled tasks, or new Windows services created under the compromised application identity.

Lateral Movement via Agent Abuse Attackers leverage ScreenConnect’s legitimate remote access agent infrastructure to push payloads, execute commands, and move laterally to all connected client endpoints — bypassing endpoint security tools that whitelist ScreenConnect traffic as trusted.

Detection Guidance

Detection Rule	Behavioral Indicator	Confidence
IDS/WAF: Path Traversal Patterns	HTTP requests to `/transfer/` or `/SetupWizard.aspx` containing `../`, `..%2f`, or `%2e%2e` sequences	High
File Integrity Monitoring	New or modified `.aspx`, `.ashx`, or `.dll` files in `App_Extensions` or `App_Web_*` directories	High
SIEM: Setup Wizard POST	POST requests to `/SetupWizard.aspx` on production servers with setup already complete	High
EDR: Anomalous Child Processes	Unexpected `cmd.exe`, PowerShell, or `wscript.exe` spawned from `ScreenConnect.Service.exe` or IIS worker process	High
Network: Outbound Staging	Outbound HTTPS/HTTP from the ScreenConnect server to uncommonly seen external IPs after exploit activity	Medium
Log: Extension Load Events	Application logs showing new extension DLL loads following unauthorized file writes	Medium

Indicators of Compromise

HTTP request patterns: Requests containing /SetupWizard.aspx/..%2f or /transfer/../../ in ScreenConnect web server access logs
Unauthorized files: Unexpected .aspx, .ashx, or .dll files created in App_Extensions/, App_Web_*/, or wwwroot/ subdirectories of the ScreenConnect installation
Anomalous process trees: cmd.exe, powershell.exe, or mshta.exe as child processes of w3wp.exe (IIS) or ScreenConnect.Service.exe
Agent session anomalies: Legitimate ScreenConnect agent sessions initiated to endpoints at unusual hours, from unexpected geographies, or via unrecognized ScreenConnect server hostnames
Persistence artifacts: New scheduled tasks, Windows services, or registry run keys created under the ScreenConnect service account or IIS application pool identity

Disclosure Timeline

2024-02-19 — ConnectWise publishes security bulletin for CVE-2024-1708 and CVE-2024-1709; emergency patch released in ScreenConnect 23.9.8; cloud-hosted instances begin receiving patches
2024-02-20 — Huntress publishes first public technical analysis demonstrating unauthenticated RCE via the chained vulnerability; cloud-hosted ScreenConnect patching completed by ConnectWise
2024-02-21 — NVD publishes CVE-2024-1708 and CVE-2024-1709 entries; public PoC exploitation code appears; mass scanning and exploitation activity detected by multiple threat intelligence vendors
2024-02-22 — CISA adds CVE-2024-1708 and CVE-2024-1709 to the Known Exploited Vulnerabilities (KEV) catalog; federal agencies receive mandatory remediation deadline of 2024-02-29
2024-02-23 — Sophos and eSentire publish incident response reports documenting active exploitation by ransomware affiliates; Black Basta and LockBit 3.0 operators confirmed using ScreenConnect compromise chains for endpoint deployment
2024-03-01+ — Ongoing exploitation activity documented; threat intelligence vendors report hundreds of compromised ScreenConnect servers used as initial access footholds across MSP and enterprise environments

Sources & References

CISA: Known Exploited Vulnerabilities Catalog — CISA, 2024-02-22
National Vulnerability Database: CVE-2024-1708 — National Vulnerability Database, 2024-02-21
ConnectWise: ScreenConnect 23.9.8 Security Bulletin — ConnectWise, 2024-02-19
Huntress: A Catastrophe for Control Understanding the ScreenConnect Authentication Bypass — Huntress, 2024-02-20
Sophos: ScreenConnect CVE-2024-1708 and CVE-2024-1709 — Sophos, 2024-02-23