===================================================================== 

CERT-Renater 

Note d'Information No. 2024/VULN088 
_____________________________________________________________________ 

DATE : 23/02/2024 

HARDWARE PLATFORM(S): / 

OPERATING SYSTEM(S): Systems running ScreenConnect 23.9.7 and prior 

===================================================================== 
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 
_____________________________________________________________________ 

ConnectWise ScreenConnect Authentication Bypass and remote code execution 

Severity : 
Critical—Vulnerabilities (CVE-2024-1708 and CVE-2024-1709) that could 
allow the ability to execute remote code or directly impact 
confidential data or critical systems. 

Priority : 1 
High—Vulnerabilities that are either being targeted or have higher 
risk of being targeted by exploits in the wild. Recommend installing 
updates as emergency changes or as soon as possible (e.g., within days) 

Affected versions : ScreenConnect 23.9.7 and prior 

Remediation : 

- Cloud : There are no actions needed by the partner, ScreenConnect 
servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have 
been updated to remediate the issue. 

- On-premise : Partners that are self-hosted or on-premise need to 
update their servers to version 23.9.8 immediately to apply a patch. 
To upgrade your version to our latest 23.9 release, please follow 
this upgrade path: 
2.1 → 2.5 → 3.1 → 4.4 → 5.4 → 19.2 → 22.8 → 23.3 → 23.9 

ConnectWise will also provide updated versions of releases 22.4 
through 23.9.7 for the critical issue, but strongly recommend that 
partners update to ScreenConnect version 23.9.8. 

For instructions on updating to the newest release, please reference 
this doc: https://docs.connectwise.com/ConnectWise_ScreenConnect_Documentation/On-premises/Get_started_with_ConnectWise_ScreenConnect_On-Premise/Upgrade_an_on-premises_installation 

Link to patch: https://screenconnect.connectwise.com/download 

+-------------------------------------------------------------------- 

02/19/2024 
Products: ScreenConnect 
Severity: Critical 
Priority: 1 - High 

CWE ID : CWE-288 
CVE ID : CVE-2024-1709 
Description : Authentication bypass using an alternate path or channel 
Base score : 10 
Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 

CWE ID : CWE-22 
CVE ID : CVE-2024-1708 
Description : Improper limitation of a pathname to a restricted directory 
(“path traversal”) 
Base score : 8.4 
Vector :CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H 

URL: 
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 
https://www.cve.org/CVERecord?id=CVE-2024-1709 
https://www.cve.org/CVERecord?id=CVE-2024-1708 

========================================================= 
+ CERT-RENATER | tel : 01-53-94-20-44 + 
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 + 
+ 75013 Paris | email:cert@support.renater.fr + 
=========================================================