ConnectWise ScreenConnect, a widely-used remote access tool, suffered a critical authentication bypass vulnerability (CVE-2024-1709, CVSS 10.0) that was rapidly weaponized by ransomware operators and initial access brokers. The simplicity of exploitation combined with ScreenConnect's massive deployment footprint made this one of the most impactful vulnerabilities of early 2024.
Vulnerability Mechanics
The flaw exists in ScreenConnect's setup wizard endpoint. Even on fully configured instances, an attacker can access the /SetupWizard.aspx endpoint to create a new administrator account, effectively bypassing all existing authentication. This is a path traversal variant that exploits inconsistent URL normalization between the web server and the application layer.
The vulnerability is trivially exploitable: a single HTTP request is sufficient to gain full administrative access. No special tools, no complex payloads, no prior authentication required.
Mass Exploitation Timeline
Within 24 hours of public PoC availability, our sensors detected mass scanning across the entire IPv4 space targeting ScreenConnect instances. Multiple ransomware groups, including LockBit affiliates and Black Basta operators, integrated the exploit into their attack chains. We observed compromised ScreenConnect instances being used as initial access vectors to deploy ransomware across managed environments, which is particularly devastating for MSPs whose ScreenConnect servers provided access to hundreds of client networks.
Detection and Response
SOC teams should monitor for new user creation events in ScreenConnect logs, unexpected /SetupWizard.aspx access, and new ScreenConnect extensions being installed. We have published Sigma rules and Suricata signatures for detecting exploitation attempts. Organizations using ScreenConnect must update immediately, as there is no viable workaround for this vulnerability.