🚨 CRITICAL ALERT: Active Zero-Day Exploits

URGENT: ConnectWise ScreenConnect versions 23.9.7 and prior are under active exploitation via critical vulnerabilities CVE-2024-1708 (CVSS 8.4) and CVE-2024-1709 (CVSS 10.0), added to CISA KEV. Attackers are achieving remote code execution, ransomware deployment, and full system compromise on exposed on-premise instances—patch immediately to prevent catastrophic breaches.

Critical Vulnerabilities (CVSS >= 8.0)

• CVE-2024-1708 (CVSS: 8.4): Path traversal vulnerability in ConnectWise ScreenConnect 23.9.7 and prior allows attackers to manipulate file paths, enabling remote code execution, unauthorized file access, and compromise of confidential data or critical systems via malicious ZIP extensions or HTTP requests. Requires network access; often chained with auth bypass for devastating impact. View NVD | CISA KEV
• CVE-2024-1709 (CVSS: 10.0): Critical authentication bypass in ConnectWise ScreenConnect 23.9.7 and prior via „/SetupWizard.aspx/“ endpoint, allowing trivial unauthenticated access to overwrite users, create plugins, and execute code remotely. Actively exploited for ransomware and persistence; listed in CISA KEV until 2026-04-28. View NVD | CISA KEV

⚡ Immediate Actions Required

• Patch NOW: Upgrade all on-premise ScreenConnect to 23.9.8 or later. Cloud instances are auto-patched.
• Scan & Isolate: Inventory exposed instances; use tools like Censys/Shodan to detect vulnerable servers. Disconnect from networks if unpatched.
• Monitor & Hunt: Check logs for SetupWizard access, anomalous ZIP extractions, or new extensions. Look for ransomware IOCs (e.g., Cobalt Strike beacons).
• Restrict Access: Firewall block public exposure of ScreenConnect ports (default 8040, 8041). Enforce least privilege.
• Report Incidents: If compromised, preserve evidence and contact CISA or incident response (e.g., Huntress, Unit 42).

These flaws are weaponized—delay risks total network takeover. Act within 24 hours.