CVE-2024-1708: ConnectWise ScreenConnect Unauthenticated Remote Code Execution

Exploitation Summary

CVE-2024-1708 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 28, 2026, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including tdawg506, Teexo, sfewer-r7, WatchTowr, including a Metasploit module exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2024-1708 (authentication bypass) and CVE-2024-1709 (RCE) in ConnectWise ScreenConnect. The tool checks for vulnerability and provides exploitation guidance, including admin endpoint discovery and setup mode detection.

Description

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

Exploits (4)

github WORKING POC 1 stars

by tdawg506 · pythonpoc

https://github.com/tdawg506/ScreenConnect-CVE-2024-1709-Exploit

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2024-1708 (authentication bypass) and CVE-2024-1709 (RCE) in ConnectWise ScreenConnect. The tool checks for vulnerability and provides exploitation guidance, including admin endpoint discovery and setup mode detection.

Classification

Working Poc 95%

Attack Type

Auth Bypass | Rce

Complexity

Moderate

Reliability

Reliable

Target: ConnectWise ScreenConnect (ConnectWise Control)

No auth needed

Prerequisites: Python 3.x · requests library · target URL · listener IP/port for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 15, 2026 Full analysis →

github WORKING POC 1 stars

by Teexo · pythonremote

https://github.com/Teexo/ScreenConnect-CVE-2024-1709-Exploit

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2024-1708 (authentication bypass) and CVE-2024-1709 (RCE) in ConnectWise ScreenConnect. The tool checks for vulnerability and provides exploitation guidance, including admin endpoint discovery and setup mode detection.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: ConnectWise ScreenConnect (ConnectWise Control)

No auth needed

Prerequisites: Python 3.x · requests library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/cjybao/CVE-2024-1709-and-CVE-2024-1708

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-1708, which targets a vulnerability in a web application (likely a .NET-based system). The exploit involves uploading a malicious extension (ASHX handler) to achieve remote code execution (RCE) by leveraging an authenticated endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unknown .NET-based web application (likely a CMS or similar)

Auth required

Prerequisites: Valid credentials for authentication · Access to the target web application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by sfewer-r7, WatchTowr · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2024-1709 (auth bypass) and CVE-2024-1708 (path traversal) in ConnectWise ScreenConnect to create an admin account and achieve RCE via malicious extension upload. It supports Windows and Linux targets.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ConnectWise ScreenConnect <= 23.9.7

No auth needed

Prerequisites: Network access to ScreenConnect server (default port 8040) · Vulnerable version of ScreenConnect

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

US Government Resource, Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1708

Technical Description

https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/

Vendor Advisory

https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

Exploit, Third Party Advisory

https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass

CVE-2024-1708

ConnectWise ScreenConnect Unauthenticated Remote Code Execution

Exploitation Summary

Description

Exploits (4)

References (4)

Scores

CISA SSVC

Details