February 22, 2024 By Sergiu Gatlan
Attackers are exploiting a maximum severity authentication bypass vulnerability to breach unpatched ScreenConnect servers and deploy LockBit ransomware payloads on compromised networks.
The maximum severity CVE-2024-1709 auth bypass flaw has been under active exploitation since Tuesday, one day after ConnectWise released security updates and several cybersecurity companies published proof-of-concept exploits.
ConnectWise also patched the CVE-2024-1708 high-severity path traversal vulnerability, which can only be abused by threat actors with high privileges.
Both security bugs impact all ScreenConnect versions, prompting the company on Wednesday to remove all license restrictions so customers with expired licenses can upgrade to the latest software version and secure their servers from attacks.
CISA added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog today, ordering U.S. federal agencies to secure their servers within one week by February 29.
CVE-2024-1709 is now widely exploited in the wild, according to security threat monitoring platform Shadowserver, with 643 IPs currently targeting vulnerable servers.
Shodan currently tracks over 8,659 ScreenConnect servers, with only 980 running the ScreenConnect 23.9.8 patched version.
