NVD - CVE-2024-1709 (original) (raw)

ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST CVSS score

NIST: NVD

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST CVSS score matches with CNA score

CNA: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://github.com/rapid7/metasploit-framework/pull/18870 CVE, Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government Issue Tracking Patch Third Party Advisory
https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc CVE, Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government Exploit Third Party Advisory
https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/ CVE, Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government Press/Media Coverage Third Party Advisory
https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/ CVE, Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government Press/Media Coverage Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1709 CISA-ADP US Government Resource
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 CVE, Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government Vendor Advisory
https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/ CVE, Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government Third Party Advisory
https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass CVE, Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government Exploit Third Party Advisory
https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 CVE, Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government Exploit Third Party Advisory
https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8 CVE, Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government Third Party Advisory
https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/ CVE, Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government Press/Media Coverage Third Party Advisory

This CVE is in CISA's Known Exploited Vulnerabilities Catalog

Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.

Vulnerability Name Date Added Due Date Required Action
ConnectWise ScreenConnect Authentication Bypass Vulnerability 02/22/2024 02/29/2024 Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weakness Enumeration

CWE-ID CWE Name Source
NVD-CWE-Other Other cwe source acceptance level NIST
CWE-288 Authentication Bypass Using an Alternate Path or Channel Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Known Affected Software Configurations Switch to CPE 2.2

Change History

14 change records found show changes

Modified Analysis by NIST 2/26/2026 10:04:18 AM

Action Type Old Value New Value

CVE Modified by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 2/25/2026 2:30:28 PM

Action Type Old Value New Value
Changed Description ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.

Modified Analysis by NIST 10/24/2025 9:45:49 AM

Action Type Old Value New Value
Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2024-1709 Types: US Government Resource

CVE Modified by CISA-ADP 10/21/2025 7:16:19 PM

Action Type Old Value New Value
Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2024-1709

CVE Modified by CISA-ADP 10/21/2025 4:19:52 PM

Action Type Old Value New Value
Removed Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2024-1709

CVE Modified by CISA-ADP 10/21/2025 3:20:34 PM

Action Type Old Value New Value
Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2024-1709

Modified Analysis by NIST 1/27/2025 4:48:25 PM

Action Type Old Value New Value
Changed Reference Type https://github.com/rapid7/metasploit-framework/pull/18870 Issue Tracking, Third Party Advisory https://github.com/rapid7/metasploit-framework/pull/18870 Issue Tracking, Patch, Third Party Advisory
Changed Reference Type https://github.com/rapid7/metasploit-framework/pull/18870 Issue Tracking, Third Party Advisory https://github.com/rapid7/metasploit-framework/pull/18870 Issue Tracking, Patch, Third Party Advisory
Changed Reference Type https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 Third Party Advisory https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 Exploit, Third Party Advisory
Changed Reference Type https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 Third Party Advisory https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 Exploit, Third Party Advisory

CVE Modified by CVE 11/21/2024 3:51:08 AM

Action Type Old Value New Value
Added Reference https://github.com/rapid7/metasploit-framework/pull/18870
Added Reference https://github.com/watchtowrlabs/connectwise-screenconnect\_auth-bypass-add-user-poc
Added Reference https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/
Added Reference https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/
Added Reference https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
Added Reference https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/
Added Reference https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
Added Reference https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
Added Reference https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8
Added Reference https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/

CVE Modified by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 5/14/2024 10:48:40 AM

Action Type Old Value New Value

CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 2/22/2024 9:00:01 PM

Action Type Old Value New Value
Added Date Added 2024-02-22
Added Due Date 2024-02-29
Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Added Vulnerability Name ConnectWise ScreenConnect Authentication Bypass Vulnerability

Initial Analysis by NIST 2/22/2024 10🔞37 AM

Action Type Old Value New Value
Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Added CWE NIST NVD-CWE-Other
Added CPE Configuration OR *cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:* versions up to (excluding) 23.9.8
Changed Reference Type https://github.com/rapid7/metasploit-framework/pull/18870 No Types Assigned https://github.com/rapid7/metasploit-framework/pull/18870 Issue Tracking, Third Party Advisory
Changed Reference Type https://github.com/watchtowrlabs/connectwise-screenconnect\_auth-bypass-add-user-poc No Types Assigned https://github.com/watchtowrlabs/connectwise-screenconnect\_auth-bypass-add-user-poc Exploit, Third Party Advisory
Changed Reference Type https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/ No Types Assigned https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/ Press/Media Coverage, Third Party Advisory
Changed Reference Type https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/ No Types Assigned https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/ Press/Media Coverage, Third Party Advisory
Changed Reference Type https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 No Types Assigned https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 Vendor Advisory
Changed Reference Type https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/ No Types Assigned https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/ Third Party Advisory
Changed Reference Type https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass No Types Assigned https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass Exploit, Third Party Advisory
Changed Reference Type https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 No Types Assigned https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 Third Party Advisory
Changed Reference Type https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8 No Types Assigned https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8 Third Party Advisory
Changed Reference Type https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/ No Types Assigned https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/ Press/Media Coverage, Third Party Advisory

CVE Modified by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 2/21/2024 2:15:08 PM

Action Type Old Value New Value
Added Reference Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass [No types assigned]

CVE Modified by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 2/21/2024 1:15:51 PM

Action Type Old Value New Value
Added Reference Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government https://github.com/rapid7/metasploit-framework/pull/18870 [No types assigned]
Added Reference Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government https://github.com/watchtowrlabs/connectwise-screenconnect\_auth-bypass-add-user-poc [No types assigned]
Added Reference Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government https://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/ [No types assigned]
Added Reference Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/ [No types assigned]
Added Reference Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/ [No types assigned]
Added Reference Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2 [No types assigned]
Added Reference Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8 [No types assigned]
Added Reference Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/ [No types assigned]

New CVE Received from Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 2/21/2024 11:15:50 AM

Action Type Old Value New Value
Added Description ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
Added CVSS V3.1 Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Added CWE Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government CWE-288
Added Reference Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 [No types assigned]