CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation

 1title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
 2id: d27eabad-9068-401a-b0d6-9eac744d6e67
 3status: test
 4description: |
 5        Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
 6references:
 7    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
 8    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
 9    - https://www.cve.org/CVERecord?id=CVE-2024-1709
10author: Matt Anderson, Huntress
11date: 2024-02-20
12tags:
13    - attack.initial-access
14    - attack.persistence
15    - cve.2024-1709
16    - detection.emerging-threats
17logsource:
18    category: webserver
19detection:
20    selection:
21        cs-uri-stem|contains: '/SetupWizard.aspx/'
22    condition: selection
23falsepositives:
24    - Unknown
25level: critical

References

• ConnectWise ScreenConnect 23.9.8 security fix | ConnectWise

  ConnectWise ScreenConnect™ versions 23.9.7 and earlier are impacted.

  
  Read More

• Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress

  

  This blog discusses the Huntress Team's analysis efforts of the two vulnerabilities and software weaknesses in ConnectWise ScreenConnect (CVE-2024-1708 and CVE-2024-1709) and the technical details behind this attack.

  
  Read More

• Common vulnerabilities and Exposures (CVE)

  
  Read More

Related rules

• CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
• ScreenConnect User Database Modification
• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
• Oracle WebLogic Exploit
• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)