ConnectWise ScreenConnect exploitation wave

Tags

• ops
• operations
• ConnectWise
• ScreenConnect
• CVE-2024-1709
• CVE-2024-1708
• remote access
• MSP

Summary

In February 2024, attackers began exploiting critical vulnerabilities in on-premises ConnectWise ScreenConnect servers, turning a widely deployed remote-support product into an initial-access path for multiple actor sets. ConnectWise's February 19, 2024 security bulletin, CISA's February 22 KEV alert, and CISA's May 2024 Black Basta advisory show why this belongs under Ops: it was a broad exploitation wave against exposed ScreenConnect instances, not a single named campaign with one stable actor identity.

This page uses the descriptive title ConnectWise ScreenConnect exploitation wave because the durable value is the exposure path and downstream abuse pattern. Public reporting in the sources here ties the same vulnerability set to multiple actors, including Black Basta affiliates later in 2024, so no companion Groups or People page is published in this pass.

Naming and companion-page assessment

• ConnectWise centers the incident on ScreenConnect security fixes for the February 19, 2024 disclosed vulnerabilities.
• CISA tracks active exploitation under the official CVE identifier CVE-2024-1709.
• CISA's May 2024 joint advisory says Black Basta affiliates exploited the same ScreenConnect exposure for initial access, which reinforces that the wave spans multiple actors rather than one public operator name.
• No companion Groups or People page is published in this pass.

Timeline

• 2024-02-13: ConnectWise says the vulnerabilities were reported through its disclosure channel on February 13, 2024.
• 2024-02-14: ConnectWise says the vulnerabilities were validated on February 14, 2024.
• 2024-02-19: ConnectWise published the 23.9.8 security fix and said cloud instances had been remediated within 48 hours of validation.
• 2024-02-21 to 2024-02-29: ConnectWise's advisory updates told on-prem partners to immediately upgrade, offered interim patched versions for off-maintenance users, and documented compromise indicators such as a reset User.xml containing a newly created user.
• 2024-02-22: CISA added CVE-2024-1709 to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation.
• 2024-05: CISA's Black Basta joint advisory said Black Basta affiliates had exploited CVE-2024-1709 for initial access.

Org context

Because there is no standalone Orgs section in the current taxonomy, the key organizations are summarized here.

ConnectWise

• ConnectWise's security bulletin says cloud partners were remediated against both February 19 vulnerabilities and required no further action.
• The same bulletin says on-prem partners had to immediately upgrade to 23.9.8 or later, or use patched interim versions such as 22.4.20001 if off maintenance.
• ConnectWise's advisory page documented a practical post-compromise indicator: when compromised, the User.xml file may be replaced with a file containing information about one newly created user.

CISA and downstream defenders

• CISA's February 22 KEV alert confirms that active exploitation was already happening days after public disclosure.
• CISA's May 2024 joint advisory shows how exploitation of ScreenConnect moved from vulnerability response into ransomware-affiliate initial access and post-exploitation tradecraft.

Operational chain

1. Attackers exploited the February 2024 ScreenConnect vulnerabilities, especially CVE-2024-1709, against exposed on-premises ScreenConnect servers, according to ConnectWise and CISA.
2. Successful exploitation gave the attacker control over a remote-support platform already trusted to reach downstream endpoints, which is why the exposure mattered disproportionately for MSPs and IT operators.
3. ConnectWise's advisory page indicates compromise could create a fresh privileged user entry in User.xml, reflecting attacker attempts to establish persistent administrative control.
4. CISA's May 2024 advisory shows that at least some actors then used this initial access for wider intrusion activity associated with Black Basta operations.

Evidence and impact

• ConnectWise says immediate remediation was required for on-prem deployments, which underscores how exposed self-managed instances carried the main risk.
• CISA formally classified CVE-2024-1709 as known exploited within three days of the public fix.
• CISA's Black Basta advisory demonstrates the operational consequence: an RMM/support platform flaw became a real-world initial-access path into later ransomware activity.

Defender takeaways

• Remote-support and RMM infrastructure should be treated as tier-one perimeter risk. If an exposed ScreenConnect server falls, the attacker inherits a trusted administrative foothold.
• Patch on-prem ScreenConnect quickly and verify the product state afterward. ConnectWise's own guidance emphasizes both upgrading and checking compromise indicators like unexpected User.xml changes.
• Cloud-hosted remediation does not protect self-hosted deployments. This wave primarily punished organizations still responsible for their own on-prem ScreenConnect patching.
• Keep the incident name descriptive. Multiple actors reused the same vulnerability path, so the durable lesson is the ScreenConnect exploitation wave, not one group label.

Sources

• ConnectWise ScreenConnect 23.9.8 security fix
• ConnectWise Trust Center advisories
• CISA Adds One Known Exploited ConnectWise Vulnerability, CVE-2024-1709, to Catalog
• CISA Joint CSA: #StopRansomware: Black Basta Ransomware