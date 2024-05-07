So, what exactly are the ScreenConnect vulnerabilities? Let’s take a look at each.

CVE-2024-1708

This vulnerability was assigned a CVSS 3.1 score of 8.4 out of 10. It affects ScreenConnect version 23.9.7 and all prior versions. It is a path traversal vulnerability that allows attackers to remotely execute code.

Specifically, it allows attackers to write files within the App_Exntensions root directory rather than confining them to their correct extension subdirectory. While this exploit was problematic, its impact was limited since it required administrative credentials. In combination with CVE-2024-1709, however, this vulnerability became much more worrisome.

CVE-2024-1709

This vulnerability was assigned a CVSS 3.1 score of 10 out of 10, marking it “critical.” It is an authentication bypass exploit that relies on the text-based nature of the SetupWizard.aspx file.

Due to an odd .Net functionality, it is possible to input invalid URL components after a legitimate URL path and still have this data passed along to the application. In practice, this means that attackers can request /SetupWizard.aspx/anything and they can gain access to the ScreenConnect setup wizard on any ScreenConnect instance, even those that are already configured.

Once attackers access the Setup Wizard welcome screen, all they need to do is click “Next.” Even if they do not complete the setup process, clicking Next will create a new user and delete all other local users. With full admin access, attackers can easily create and upload malicious extensions to gain Remote Code Execution (RCE) access.