CVE-2024-1709

Exploitation Summary

CVE-2024-1709 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 22, 2024, with confirmed use in ransomware campaigns. EIP tracks 11 public exploits from researchers including W01fh4cker, Pr0t0c01, AMRICHASFUCK, including a Metasploit module exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-1709, which leverages an authentication bypass in ConnectWise ScreenConnect to achieve remote code execution (RCE) via a malicious extension upload. The exploit automates the process of creating, uploading, and executing a custom .ashx handler to gain command execution on the target system.

Description

ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.

Exploits (11)

nomisec WORKING POC 105 stars

by W01fh4cker · remote

https://github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-1709, which leverages an authentication bypass in ConnectWise ScreenConnect to achieve remote code execution (RCE) via a malicious extension upload. The exploit automates the process of creating, uploading, and executing a custom .ashx handler to gain command execution on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ConnectWise ScreenConnect (versions affected by CVE-2024-1709)

No auth needed

Prerequisites: Network access to the ScreenConnect instance · ScreenConnect version vulnerable to CVE-2024-1709

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC 2 stars

by Pr0t0c01 · pythonpoc

https://github.com/Pr0t0c01/CVEs/tree/main/ConnectWiseScreenConnect_CVE-2024-1709

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2024-1709, including a Python script and Nuclei templates for detection and exploitation. The exploit demonstrates an information disclosure vulnerability in Citrix Gateway.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Citrix Gateway

No auth needed

Prerequisites: Target IP or domain list

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 2 stars

by AMRICHASFUCK · remote

https://github.com/AMRICHASFUCK/Mass-CVE-2024-1709

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-1709, targeting ScreenConnect's authentication bypass and remote code execution vulnerability. The exploit automates the process of uploading a malicious extension to achieve RCE via a crafted web handler.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ScreenConnect (ConnectWise Control)

No auth needed

Prerequisites: Network access to target on port 8040 · Vulnerable version of ScreenConnect

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec SCANNER 2 stars

by HussainFathy · infoleak

https://github.com/HussainFathy/CVE-2024-1709

View Code ZIP pw:eip

This repository contains a Python script that scans for CVE-2024-1709, an authentication bypass vulnerability in ConnectWise SecureConnect. The script checks for a specific endpoint response pattern to identify vulnerable hosts.

Classification

Scanner 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: ConnectWise SecureConnect

No auth needed

Prerequisites: List of target hosts in a 'hosts.txt' file

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC 1 stars

by tdawg506 · pythonpoc

https://github.com/tdawg506/ScreenConnect-CVE-2024-1709-Exploit

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2024-1709, which chains an authentication bypass (CVE-2024-1708) with remote code execution in ConnectWise ScreenConnect. The tool checks for vulnerability and provides exploitation guidance, including admin endpoint discovery and setup mode detection.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ConnectWise ScreenConnect (ConnectWise Control)

No auth needed

Prerequisites: Python 3.x · requests library · target URL · listener IP/port for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 15, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Teexo · remote

https://github.com/Teexo/ScreenConnect-CVE-2024-1709-Exploit

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2024-1709, which chains an authentication bypass (CVE-2024-1708) with remote code execution in ConnectWise ScreenConnect. The tool checks for vulnerability and provides exploitation guidance, including admin endpoint discovery and setup mode detection.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ConnectWise ScreenConnect (ConnectWise Control)

No auth needed

Prerequisites: Python 3.x · requests library · target URL · listener IP/port for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 1 stars

by cjybao · remote

https://github.com/cjybao/CVE-2024-1709-and-CVE-2024-1708

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-1709, which leverages an extension upload vulnerability to achieve remote code execution (RCE) on the target system. The exploit creates a malicious extension, uploads it, and executes arbitrary commands via a crafted HTTP handler.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unknown (likely a web application with extension upload functionality)

Auth required

Prerequisites: Valid credentials for authentication · Access to the extension upload endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 1 stars

by sxyrxyy · remote

https://github.com/sxyrxyy/CVE-2024-1709-ConnectWise-ScreenConnect-Authentication-Bypass

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-1709, an authentication bypass vulnerability in ConnectWise ScreenConnect. The exploit automates the process of adding a new user by bypassing authentication through crafted HTTP requests to the SetupWizard.aspx endpoint.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: ConnectWise ScreenConnect

No auth needed

Prerequisites: Access to the target ScreenConnect instance · SetupWizard.aspx endpoint must be accessible

MITRE ATT&CK

T1110 - Brute Force T1078 - Valid Accounts

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec NO CODE

by AhmedMansour93 · poc

https://github.com/AhmedMansour93/Event-ID-229-Rule-Name-SOC262-CVE-2024-1709-

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by sfewer-r7, WatchTowr · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709.rb

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass vulnerability (CVE-2024-1709) in ConnectWise ScreenConnect to create an administrator account and achieve remote code execution by uploading a malicious extension module. It targets versions 23.9.7 and below.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ConnectWise ScreenConnect <= 23.9.7

No auth needed

Prerequisites: Network access to the target server · ScreenConnect service running on port 8040

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 30, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-1709, which demonstrates an authentication bypass vulnerability in ConnectWise ScreenConnect. The exploit adds a new administrative user by manipulating the setup wizard process, leveraging extracted VIEWSTATE and VIEWSTATEGENERATOR values.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: ConnectWise ScreenConnect (versions prior to 23.9.8)

No auth needed

Prerequisites: Target URL · Desired username · Desired password (minimum 8 characters)

MITRE ATT&CK