CVE-2024-1708
published 2024-02-21CVE-2024-1708: ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or…
PriorityP193high8.4CVSS 3.1
AVNACLPRHUIRSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-12
Exploited in the wild
EPSS
87.62%
99.7th percentile
ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker
the ability to execute remote code or directly impact confidential data or critical systems.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| connectwise | screenconnect | < 23.9.8 | 23.9.8 |
| connectwise | screenconnect | <= 23.9.7 | — |
CVSS provenance
nvdv3.18.4HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ConnectWise ScreenConnect up to 23.9.7 path traversal
vuldb·2026-05-14·CVSS 8.4
CVE-2024-1708 [HIGH] ConnectWise ScreenConnect up to 23.9.7 path traversal
A vulnerability, which was classified as critical, was found in ConnectWise ScreenConnect up to 23.9.7. This affects an unknown part. Executing a manipulation can lead to path traversal.
This vulnerability is registered as CVE-2024-1708. It is possible to launch the attack remotely. Furthermore, an exploit is available.
GHSA
GHSA-65x5-26gm-j9pq: ConnectWise ScreenConnect 23
ghsa_unreviewed·2024-02-21
CVE-2024-1708 [HIGH] CWE-22 GHSA-65x5-26gm-j9pq: ConnectWise ScreenConnect 23
ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker
the ability to execute remote code or directly impact confidential data or critical systems.
VulnCheck
ConnectWise ScreenConnect Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2024·CVSS 8.4
CVE-2024-1708 [HIGH] ConnectWise ScreenConnect Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ConnectWise ScreenConnect Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker
the ability to execute remote code or directly impact confidential data or critical systems.
Affected: ConnectWise ScreenConnect
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://infosec.exchange/@SophosXOps/111975043941611370; https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/; https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation
VulnCheck
ConnectWise ScreenConnect Authentication Bypass Vulnerability
vulncheck·2024·CVSS 10.0
CVE-2024-1709 [CRITICAL] CWE-288 ConnectWise ScreenConnect Authentication Bypass Vulnerability
ConnectWise ScreenConnect Authentication Bypass Vulnerability
ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.
Affected: ConnectWise ScreenConnect
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-21&host_type=src&vulnerability=cve-2024-1709; https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1
CISA
ConnectWise ScreenConnect Path Traversal Vulnerability
cisa·2026-04-28·CVSS 8.4
CVE-2024-1708 [HIGH] CWE-22 ConnectWise ScreenConnect Path Traversal Vulnerability
Vulnerability: ConnectWise ScreenConnect Path Traversal Vulnerability
Affected: ConnectWise ScreenConnect
ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 ; https://nvd.nist.gov/vuln/detail/CVE-2024-1708
Remediation Due Date: 2026-05-12
Suricata
ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - SetupWizard Auth Bypass Vulnerable Version Detected (CVE-2024-1709 CVE-2024-1708)
suricata·2024-02-21·CVSS 8.4
CVE-2024-1709 [HIGH] ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - SetupWizard Auth Bypass Vulnerable Version Detected (CVE-2024-1709 CVE-2024-1708)
ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - SetupWizard Auth Bypass Vulnerable Version Detected (CVE-2024-1709 CVE-2024-1708)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - SetupWizard Auth Bypass Vulnerable Version Detected (CVE-2024-1709 CVE-2024-1708)"; flow:established,to_client; http.server; content:"ScreenConnect/"; fast_pattern; startswith; pcre:"/^(?:[3456789]|2(?:[012]|3\.(?:[012345678]|9\.[1234567]))?|1\d?)\./R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,s1creenconnect.connectwise.com/download/archive; reference:url,www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8; reference:cve,2024-1709; reference:cve,2024-1708; classtype:web-application-ac
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Sans Isc
TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03), (Mon, May 4th)
blogs_sans_isc·2026-05-04
CVE-2024-1708 TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03), (Mon, May 4th)
TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03)
Published: 2026-05-04. Last Updated: 2026-05-04 17:12:18 UTC
by Kenneth Hartman (Version: 1)
0 comment(s)
Summary
The most significant development of the week was the April 29 to 30 Mini Shai-Hulud worm, a self-propagating supply chain campaign that compromised four official SAP npm packages, two PyTorch Lightning PyPI versions, two intercom-client npm versions, and the intercom-php Packagist package across three package ecosystems. OX Security tracked roughly 1,800 GitHub repositories created with stolen credentials by the worm during the two day campaign, and Wiz attributed the operation to TeamPCP at high confidence based on a shared RSA public key with the prior Bitwarden CLI and Checkmarx KICS operations. Reporting s
Hackernews
CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
blogs_hackernews·2026-04-29·CVSS 8.4
CVE-2024-1708 [HIGH] CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation.
The vulnerabilities are listed below -
CVE-2024-1708 (CVSS score: 8.4) - A path traversal vulnerability in ConnectWise ScreenConnect that could allow an attacker to execute remote code or directly impact confidential data and critical systems. (Fixed in February 2024)
CVE-2026-32202 (CVSS score: 4.3) - A p
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Huntress
Ten Years of Resilience, Innovation & Community-Driven Defense
blogs_huntress·2025-08-25·CVSS 8.8
[HIGH] Ten Years of Resilience, Innovation & Community-Driven Defense
The world of cybersecurity has been a wild ride over the last decade. As attackers stepped up their game year over year, the security community responded and adapted with resilience and ingenuity to each new wave of threats.
Attackers tested our limits time and time again with bolder, more cutting-edge cyberattacks: ransomware, supply chain compromises, zero-day vulnerabilities, and more. But every single breach, compromise, and exploited vulnerability taught us something new, pushed us harder to innovate and stay steps ahead, brought our security community closer together, and rallied us to wreck hackers.
As we celebrate our 10th anniversary at Huntress this month, we’re pausing to look back at the events that have shaped the entire cybersecurity community. Understanding where we've bee
Huntress
137 Key Cybersecurity Statistics for 2026 and Beyond
blogs_huntress·2025-06-12
137 Key Cybersecurity Statistics for 2026 and Beyond
## Top cybersecurity facts
Staying ahead in cybersecurity means getting the lay of the land—what's working, what's not, and what's changing. This cybersecurity data isn't just numbers; it’s deep insights into current digital defense risks, from password statistics revealing ongoing challenges to newer problems like remote work best practices .
More than a quarter (28%) of cybersecurity professionals say that employees in remote and hybrid work environments using the same or weak passwords is their biggest challenge. ( Huntress )
Cyber safety concerns for remote and hybrid workers influenced 61% of businesses' decisions to return to the office after the COVID-19 pandemic. ( Huntress )
An overwhelming majority (90%) of cybersecurity professionals feel confident in their organization's ab
Tenable
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
blogs_tenable·2025-04-25
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Huntress
2024: Revisiting a Year in Threats | Huntress
blogs_huntress·2024-12-31·CVSS 8.4
[HIGH] 2024: Revisiting a Year in Threats | Huntress
Before you pop the bubbly and count down to a new year, let’s reminisce for a moment. Looking back on the past 365 days, it was clear cybercriminals had no intention of slowing down. But neither did we. Our analysts worked tirelessly to help ensure our partners and our community could remain alert, informed, and protected. Here’s a snapshot of the milestones and lessons from 2024 that’ll guide us as we prepare for what lies ahead in 2025.
## ConnectWise ScreenConnect Vulnerabilities
The year came in with a fury. In February, critical vulnerabilities in ScreenConnect emerged, allowing attackers to bypass authentication with ease. Our team responded swiftly with in-depth research, detection guidance, a hotfix, and detailed analyses to keep our community informed about post-exploitation tra
Unit42
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
blogs_unit42·2024-09-10
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
## Executive Summary
Repellent Scorpius is a new ransomware-as-a-service (RaaS) group that distributes Cicada3301 ransomware. The ransomware group appears to have first emerged in May 2024, with a multi-extortion operation.
This report based on Unit 42 Incident Response engagements provides a technical analysis of the ransomware employed by the Repellent Scorpius group. It also covers other tactics, techniques and procedures (TTPs) observed during this attack.
In addition, we discuss Repellent Scorpius' connection to a historical incident involving data exfiltration, predating the group's operation under the Cicada3301 brand, as well as the ransomware group’s plans going forward. Finally, we provide a walkthrough of an updated encryptor obtained through external sources, highlighting th
Unit42
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
blogs_unit42·2024-09-10·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
## Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Navin Thomas
Jerome Tujague
Published: September 10, 2024
Cybercrime
High Profile Threats
Ransomware
Threat Actor Groups
Threat Research
ALPHV
Ambitious Scorpius
Bashful Scorpius
BlackCat ransomware
Cicada3301
CVE-2024-1708
CVE-2024-1709
Data exfiltration
Leak site
Nokoyawa
RaaS
Repellent Scorpius
## Executive Summary
Repellent Scorpius is a new ransomware-as-a-service (RaaS) group that distributes Cicada3301 ransomware. The ransomware group appears to have first emerged in May 2024, with a multi-extortion operation.
This report based on Unit 42 Incident Response engagements provides a technical analysis of the ransomware employed by the Repellent Scorpius group. It also covers other t
Unit42
Ransomware Review: First Half of 2024
blogs_unit42·2024-08-09·CVSS 9.1
CVE-2018-13379 [CRITICAL] Ransomware Review: First Half of 2024
Threat Research Center
Trend Reports
Ransomware
## Ransomware Review: First Half of 2024
Amanda Tanner
Kristopher Bleich
Published: August 9, 2024
Cybercrime
Ransomware
Trend Reports
Alpha
ALPHV
Ambitious Scorpius
Anemic Scorpius
AvosLocker
Bashful Scorpius
Black Basta
Blackcat
Blackout
BreachForums
Burning Scorpius
Buzzing Scorpius
Chubby Scorpius
CL0P
CVE-2018-13379
CVE-2020-1472
CVE-2024-1708
CVE-2024-1709
CVE-2024-26169
CVE-2024-27198
CVE-2024-4577
Dark Scorpius
DoNex
DragonForce
Drowsy Scorpius
Flighty Scorpius
GhostSec
Healthcare
Hive
Hunters International
Ignoble Scorpius
Karakurt
KelvinSecurity
Leak site
LockBit
Losttrust
LukaLocker
Manufacturing
Muddled Libra
Mushy Scorpius
MyData
NoEscape
Nokoyawa
Qilin
Quilong
Ragnar Locke
Unit42
Ransomware Review: First Half of 2024
blogs_unit42·2024-08-09
Ransomware Review: First Half of 2024
## Executive Summary
Unit 42 monitors ransomware and extortion leak sites closely to keep tabs on threat activity. We reviewed compromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762 new posts. This averages to approximately 294 posts a month and almost 68 posts a week. Of the 53 ransomware groups whose leak sites we monitored, six of the groups accounted for more than half of the compromises observed.
In February, we reported a 49% increase year-over-year in alleged victims posted on ransomware leak sites. So far, in 2024, comparing the first half of 2023 to the first half of 2024, we see an even further increase of 4.3%. The higher level of activity observed in 2023 was no fluke.
Activity from groups like Ambitious Scorpius (distributors of Blac
Huntress
SlashAndGrab: The ConnectWise ScreenConnect Vulnerability Explained | Huntress
blogs_huntress·2024-08-03·CVSS 8.4
[HIGH] SlashAndGrab: The ConnectWise ScreenConnect Vulnerability Explained | Huntress
The “exploit” is trivial and embarrassingly easy.
These are words you never want to hear when talking about vulnerabilities in a widely used product, but that’s exactly how John Hammond, Principal Security Researcher at Huntress, described the ability to exploit the ConnectWise ScreenConnect vulnerabilities in the Huntress Team’s technical analysis . Then you see a headline in TechCrunch that reads, “‘I can’t sugarcoat it — this shit is bad,' said Huntress' CEO,” and you know this is not your everyday cybersecurity event.
## A Non-Technical Breakdown of the SlashAndGrab ScreenConnect Vulnerability
ConnectWise ScreenConnect is a popular software used to monitor and manage systems remotely. On February 19th, ConnectWise issued an advisory that all versions below 23.9.8 of their on-prem ve
Tenable
Cybersecurity Snapshot: New Guide Explains How To Assess if Software Is Secure by Design, While NIST Publishes GenAI Risk Framework
blogs_tenable·2024-05-10
Cybersecurity Snapshot: New Guide Explains How To Assess if Software Is Secure by Design, While NIST Publishes GenAI Risk Framework
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
Exploits and vulnerabilities in Q1 2024
blogs_securelist·2024-05-07·CVSS 7.8
CVE-2024-3094 [HIGH] Exploits and vulnerabilities in Q1 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Public exploit statistics
Most prevalent exploits
Vulnerability exploitation in APT attacks
Notable Q1 2024 vulnerabilities
CVE-2024-3094 (XZ)
CVE-2024-20656 (Visual Studio)
CVE-2024-21626 (runc)
CVE-2024-1708 (ScreenConnect)
CVE-2024-21412 (Windows Defender)
CVE-2024-27198 (TeamCity)
CVE-2023-38831 (WinRAR)
Conclusions and advice
Authors
Alexander Kolesnikov
Vitaly Morgunov
We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting a
Securelist
Analyzing the vulnerability landscape in Q1 2024
blogs_securelist·2024-05-07
Analyzing the vulnerability landscape in Q1 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Notable Q1 2024 vulnerabilities
- Conclusions and advice
Authors
- Alexander Kolesnikov
- Vitaly Morgunov
We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical component of that landscape. In this report, we present a series of insightful statistical and analytical snapshots relating to the trends in the emergence of new vulnerabilities and exploits, as well as the most prevalent vulnerabilities being used by attackers. Add
Bleepingcomputer
Ransomware payments drop to record low of 28% in Q1 2024
blogs_bleepingcomputer·2024-04-21·CVSS 5.0
[MEDIUM] Ransomware payments drop to record low of 28% in Q1 2024
## Ransomware payments drop to record low of 28% in Q1 2024
## Bill Toulas
Ransomware actors have had a rough start this year, as stats from cybersecurity firm Coveware show companies are increasingly refusing to pay extortion demands, leading to a record low of 28% of companies paying ransom in the first quarter of 2024.
This figure was 29% in Q4 2023 , and Coveware's stats show that diminishing payments have remained steady since early 2019.
This decrease is due to organizations implementing more advanced protective measures, mounting legal pressure not to meet the crooks' financial demands, and cybercriminals repeatedly breaching promises not to publish or resale stolen data if a ransom is paid.
However, it is essential to note that despite the drop in the payment rate, the amount
Zscaler
ScreenConnect Vulnerabilities | ThreatLabz
blogs_zscaler·2024-03-11·CVSS 10.0
[CRITICAL] ScreenConnect Vulnerabilities | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bleepingcomputer
ScreenConnect flaws exploited to drop new ToddlerShark malware
blogs_bleepingcomputer·2024-03-04·CVSS 8.4
CVE-2024-1708 [HIGH] ScreenConnect flaws exploited to drop new ToddlerShark malware
## ScreenConnect flaws exploited to drop new ToddlerShark malware
## Bill Toulas
The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddlerShark.
Kimsuky (aka Thallium and Velvet Chollima) is a North Korean state-sponsored hacking group known for cyber espionage attacks on organizations and governments worldwide.
The threat actors are exploiting authentication bypass and remote code execution flaws disclosed on February 20, 2024, when ConnectWise urged ScreenConnect customers to immediately upgrade their servers to version 23.9.8 or later.
Public exploits for the two flaws were released the next day , and hackers, including ransomware actors , quickly began leve
Checkpoint
4th March – Threat Intelligence Report
blogs_checkpoint·2024-03-04
CVE-2023-46805 4th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 4th March, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
UnitedHealth Group confirmed its subsidiary was attacked by the ALPHV ransomware gang. 6 terabytes of data were stolen in the attack, and Change Healthcare, a crucial intermediary between pharmacies and insurance companies, was forced to disconnect its systems on February 21. The disruption impacted U.S. military clinics and ho
Wiz
Crying Out Cloud - March 2024 Newsletter | Wiz
blogs_wiz·2024-03-01·CVSS 8.6
CVE-2024-21626 [HIGH] Crying Out Cloud - March 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights!
## 🐞 High Profile Vulnerabilities
Leaky Vessels: Docker and runc Container Escape Vulnerabilities
Several vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, exploiting these vulnerabilities could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating further attacks, particularly with superuser privileges.
According to Wiz data, 18% percent of cloud environments have resources
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Ausnutzung von Schwachstellen
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus Feb 27, 2024 Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized acc
Bleepingcomputer
Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
blogs_bleepingcomputer·2024-02-27·CVSS 8.4
CVE-2024-1709 [HIGH] Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
## Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
## Sergiu Gatlan
Image: Midjourney
The Black Basta and Bl00dy ransomware gangs have joined widespread attacks targeting ScreenConnect servers unpatched against a maximum severity authentication bypass vulnerability.
This critical flaw (CVE-2024-1709) allows attackers to create admin accounts on Internet-exposed servers, delete all other users, and take over any vulnerable instance.
CVE-2024-1709 has been under active exploitation since last Tuesday, one day after ConnectWise released security updates and proof-of-concept exploits were released by several cybersecurity companies.
Last week, ConnectWise also fixed a high-severity path traversal vulnerability (CVE-2024-1708) that can only be abused by threat actors with
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits & Vulnerabilities
# Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus
2024/02/27
Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software (CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized access an
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits & Vulnerabilities
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus Feb 27, 2024 Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized access
Sentinelone
February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
blogs_sentinelone·2024-02-27
February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
February saw the U.S. government take significant actions against cybercrime, continuing the current administration’s policy of using all the resources of the state to tackle the problem head on. Nation-state actors, meanwhile, have taken to leveraging AI to enhance their operations and attacks.
In this month’s update, we also highlight a crop of CVEs in remote management and monitoring (RMM) tools that threat actors are exploiting in the wild, and as always we have the latest in ransomware updates.
## Ransomware Reporting and Underreporting
February 2024 has seen several impactful ransomware attacks reported, including:
Actor
Targeted Industry
LockBit
Medical
BackMyData
Medical
Black Basta
Automotive
Cactus
Manufacturing
Concerns remain, however, that many ransomware incidents ar
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits & Vulnerabilities
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus 2024/02/27 Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized access a
Sentinelone
February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
blogs_sentinelone·2024-02-27
February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
February saw the U.S. government take significant actions against cybercrime, continuing the current administration’s policy of using all the resources of the state to tackle the problem head on. Nation-state actors, meanwhile, have taken to leveraging AI to enhance their operations and attacks.
In this month’s update, we also highlight a crop of CVEs in remote management and monitoring (RMM) tools that threat actors are exploiting in the wild, and as always we have the latest in ransomware updates.
## Ransomware Reporting and Underreporting
February 2024 has seen several impactful ransomware attacks reported, including :
Actor
Targeted Industry
LockBit
Medical
BackMyData
Medical
Black Basta
Automotive
Cactus
Manufacturing
Concerns remain, however, that many ransomware incide
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits y vulnerabilidades
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus Feb 27, 2024 Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized acces
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits & Vulnerabilities
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus Feb 27, 2024 Read time: ( words)
Save to Folio
On 19 February 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorised access
Checkpoint
26th February – Threat Intelligence Report
blogs_checkpoint·2024-02-26
CVE-2024-1708 26th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 26th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 26th February, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The American Prince George’s County Public Schools (PGCPS) has experienced a ransomware attack that compromised the personal data of nearly 100K individuals. The attack exposed individuals’ full names, financial account information, and Social Security Numbers. The Rhysida ransomware gang is reportedly responsible for t
Huntress
Guide: How to Know if your ScreenConnect Server is Hacked | Huntress
blogs_huntress·2024-02-23·CVSS 8.4
CVE-2024-1708 [HIGH] Guide: How to Know if your ScreenConnect Server is Hacked | Huntress
You’ve probably seen it by now, but there was a major ConnectWise ScreenConnect vulnerability ( CVE-2024-1708 and CVE-2024-1709 ) – which we’re calling “ SlashAndGrab ” – that’s been shared across the cybersecurity community. Here’s what you need to know to keep yourself patched up.
The patched versions ( 23.9.8 or newer ) are available from ConnectWise. Anything older should be patched immediately as it is considered vulnerable. Do NOT wait to deploy this update. ConnectWise has removed license restrictions, allowing partners no longer under maintenance to upgrade to the latest version.
## What Should You Watch Out For?
Work under the assumption that you’ve already been compromised. Even if you have already patched or you run other security solutions, no matter what version of ScreenCo
Unit42
Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
blogs_unit42·2024-02-22·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
Unit 42
Published: February 21, 2024
High Profile Threats
Vulnerabilities
ConnectWise
CVE-2024-1708
CVE-2024-1709
Remote desktop
Vulnerability exploit
## Executive Summary
Feb. 13, 2024, ConnectWise was notified of two vulnerabilities impacting their remote desktop software application ScreenConnect. These vulnerabilities were first reported through their vulnerability disclosure channel in the ConnectWise Trust Center.
Feb. 19, 2024, ConnectWise publicly disclosed the vulnerabilities in a security bulletin .
As of Feb. 21, 2024, Unit 42 observed 18,188 unique IP addresses hosting ScreenConnect globally.
The newly disc
Unit42
Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
blogs_unit42·2024-02-22·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
## Executive Summary
Feb. 13, 2024, ConnectWise was notified of two vulnerabilities impacting their remote desktop software application ScreenConnect. These vulnerabilities were first reported through their vulnerability disclosure channel in the ConnectWise Trust Center.
Feb. 19, 2024, ConnectWise publicly disclosed the vulnerabilities in a security bulletin.
As of Feb. 21, 2024, Unit 42 observed 18,188 unique IP addresses hosting ScreenConnect globally.
The newly disclosed vulnerabilities have now been assigned the following CVEs:
CVE Number
Description
CVSS Severity
CVE-2024-1708
ScreenConnect 23.9.7 and prior are affected by a path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.
8.4
Bleepingcomputer
New ScreenConnect RCE flaw exploited in ransomware attacks
blogs_bleepingcomputer·2024-02-22·CVSS 8.4
[HIGH] New ScreenConnect RCE flaw exploited in ransomware attacks
## New ScreenConnect RCE flaw exploited in ransomware attacks
## Sergiu Gatlan
Image: Midjourney
Update February 23, 07:02 EST: Sophos published a report today saying that the ransomware payloads they spotted were built using the LockBit ransomware builder leaked online by a disgruntled malware developer in late September 2022.
The samples seen by Sophos in this week's attacks were a buhtiRansom LockBit variant dropped on 30 different customer networks and a second payload created using the leaked Lockbit builder (and dropped by a different threat actor).
"On February 22, 2024, Sophos X-Ops reported through our social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that app
Bleepingcomputer
ScreenConnect critical bug now under attack as exploit code emerges
blogs_bleepingcomputer·2024-02-21·CVSS 8.4
CVE-2024-1708 [HIGH] ScreenConnect critical bug now under attack as exploit code emerges
## ScreenConnect critical bug now under attack as exploit code emerges
## Bill Toulas
Both technical details and proof-of-concept exploits are available for the two vulnerabilities ConnectWise disclosed earlier this week for ScreenConnect, its remote desktop and access software.
A day after the vendor published the security issues, attackers started leveraging them in attacks.
CISA has assigned CVE-2024-1708 and CVE-2024-1709 identifiers to the the two security issues, which the vendor assessed as a maximum severity authentication bypass and a high-severity path traversal flaw that impact ScreenConnect servers 23.9.7 and earlier.
ConnectWise urged admins to update on-premise servers to version 23.9.8 immediately to mitigate the risk and clarified that those with instances on screencon
Huntress
Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress
blogs_huntress·2024-02-21·CVSS 8.4
[HIGH] Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress
On February 19, 2024, ConnectWise published a security advisory for ScreenConnect version 23.9.8, referencing two vulnerabilities and software weaknesses. The same day, Huntress researchers worked to understand this threat and successfully recreated a proof-of-concept exploit demonstrating its impact.
This write-up will discuss our analysis efforts and the technical details behind this attack, which we’re coining as “SlashAndGrab.”
The ConnectWise advisory indicated that in all versions of ScreenConnect below 23.9.8 there were two vulnerabilities:
CVE-2024-1709 : Authentication bypass using an alternate path or channel (CWE-288)
CVE-2024-1708 : Improper limitation of a pathname to a restricted directory (“path traversal”) (CWE-22)
The first vulnerability was disclosed with a critical
Huntress
Detection Guidance for ConnectWise CWE-288 | Huntress
blogs_huntress·2024-02-20·CVSS 8.4
CVE-2024-1709 [HIGH] Detection Guidance for ConnectWise CWE-288 | Huntress
UPDATE: Read our full analysis of CVE-2024-1709 & CVE-2024-1708 and detection guidance here.
On February 19, 2024, ConnectWise released an advisory related to the disclosure of two vulnerabilities affecting their ScreenConnect software. This advisory was tagged by ConnectWise with a severity of “Critical” and a priority of “1 - High.”
The Huntress team was able to successfully reproduce and weaponize the vulnerability for CWE-288 Authentication bypass using an alternate path of channel . The POC for this vulnerability was recreated with ease and required minimal technical knowledge and resources. Given this, Huntress immediately released a post on this vulnerability and its potential impact. While Huntress strongly recommends immediately patching any ConnectWise software to version 23.9.
Tenable
Frequently Asked Questions about ScreenConnect Vulnerabilities
blogs_tenable·2024-02-20
Frequently Asked Questions about ScreenConnect Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Huntress
Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8 | Huntress
blogs_huntress·2024-02-19·CVSS 8.4
CVE-2024-1709 [HIGH] Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8 | Huntress
UPDATE: Read our full analysis of CVE-2024-1709 & CVE-2024-1708 and detection guidance here.
UPDATE: We have proactively deployed a temporary hotfix to over 1000 vulnerable systems managed by Huntress. It's crucial people still update to the latest official version ASAP. During research and creation of a Proof-of-Concept exploit to validate the vulnerability, Huntress identified a way to temporarily hot-fix vulnerable systems while administrators work to patch their systems.
UPDATE: Detection guidance from Huntress has been issued .
Huntress security researchers successfully created and validated a proof-of-concept exploit for the vulnerabilities referenced to in the latest February 19 ConnectWise ScreenConnect advisory .
CWE-288 “Authentication bypass using an alternate path or channe
Sentinelone
Black Basta
blogs_sentinelone·2022-11-30
Black Basta
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Huntress
137 Key Cybersecurity Statistics for 2026 and Beyond | Huntress
blogs_huntress
137 Key Cybersecurity Statistics for 2026 and Beyond | Huntress
## Top cybersecurity facts
Staying ahead in cybersecurity means getting the lay of the land—what's working, what's not, and what's changing. This cybersecurity data isn't just numbers; it’s deep insights into current digital defense risks, from password statistics revealing ongoing challenges to newer problems like remote work best practices.
1. More than a quarter (28%) of cybersecurity professionals say that employees in remote and hybrid work environments using the same or weak passwords is their biggest challenge. (Huntress)
2. Cyber safety concerns for remote and hybrid workers influenced 61% of businesses' decisions to return to the office after the COVID-19 pandemic. (Huntress)
3. An overwhelming majority (90%) of cybersecurity professionals feel confident in their organization's
Huntress
Detection Guidance for ConnectWise CWE-288 | Huntress
blogs_huntress·CVSS 8.4
CVE-2024-1709 [HIGH] Detection Guidance for ConnectWise CWE-288 | Huntress
UPDATE: Read our full analysis of CVE-2024-1709 & CVE-2024-1708 and detection guidance here.
On February 19, 2024, ConnectWise released an advisory related to the disclosure of two vulnerabilities affecting their ScreenConnect software. This advisory was tagged by ConnectWise with a severity of “Critical” and a priority of “1 - High.”
The Huntress team was able to successfully reproduce and weaponize the vulnerability for CWE-288 Authentication bypass using an alternate path of channel. The POC for this vulnerability was recreated with ease and required minimal technical knowledge and resources. Given this, Huntress immediately released a post on this vulnerability and its potential impact. While Huntress strongly recommends immediately patching any ConnectWise software to version 23.9.8
Huntress
2024: Revisiting a Year in Threats | Huntress
blogs_huntress·CVSS 8.4
[HIGH] 2024: Revisiting a Year in Threats | Huntress
Before you pop the bubbly and count down to a new year, let’s reminisce for a moment. Looking back on the past 365 days, it was clear cybercriminals had no intention of slowing down. But neither did we. Our analysts worked tirelessly to help ensure our partners and our community could remain alert, informed, and protected. Here’s a snapshot of the milestones and lessons from 2024 that’ll guide us as we prepare for what lies ahead in 2025.
### ConnectWise ScreenConnect Vulnerabilities
The year came in with a fury. In February, critical vulnerabilities in ScreenConnect emerged, allowing attackers to bypass authentication with ease. Our team responded swiftly with in-depth research, detection guidance, a hotfix, and detailed analyses to keep our community informed about post-exploitation tr
Huntress
SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708) | Huntress
blogs_huntress·CVSS 8.4
CVE-2024-1709 [HIGH] SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708) | Huntress
Table of Contents:
- Adversaries Deploying Ransomware
- Adversaries Enumerating
- Adversary Cryptocurrency Miners
- Adversaries Installing Additional Remote Access
- Downloading Tools and Payloads
- Adversaries Dropping Cobalt Strike
- Adversaries Persisting
- Wrapping Up
- Appendix
Since February 19, Huntress has been sharing technical details of the ScreenConnect vulnerability we’re calling “SlashAndGrab.” In previous posts, we shared the details of this vulnerability, its exploit, and shared detection guidance.
In this article, we’ve collected and curated threat actor activity fresh from the Huntress Security Operations Center (SOC), where our team has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation tradecraft.
The adversaries taking
Huntress
Ten Years of Resilience, Innovation & Community-Driven Defense | Huntress
blogs_huntress·CVSS 8.8
[HIGH] Ten Years of Resilience, Innovation & Community-Driven Defense | Huntress
The world of cybersecurity has been a wild ride over the last decade. As attackers stepped up their game year over year, the security community responded and adapted with resilience and ingenuity to each new wave of threats.
Attackers tested our limits time and time again with bolder, more cutting-edge cyberattacks: ransomware, supply chain compromises, zero-day vulnerabilities, and more. But every single breach, compromise, and exploited vulnerability taught us something new, pushed us harder to innovate and stay steps ahead, brought our security community closer together, and rallied us to wreck hackers.
As we celebrate our 10th anniversary at Huntress this month, we’re pausing to look back at the events that have shaped the entire cybersecurity community. Understanding where we've bee
Sentinelone
Black Basta
blogs_sentinelone
Black Basta
# Black Basta Ransomware: In-Depth Analysis, Detection, and Mitigation
## Summary of Black Basta Ransomware
Black Basta first emerged in early 2022. The ransomware family is an evolution of the Hermes/Ryuk/Conti families. Black Basta was heavily advertised in underground cybercrime markets. Black Basta practices double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data. There are Windows and LInux variants of Black Basta ransomware. The group is responsible for hundreds of attacks against global targets of varying sectors.
February 2025 Update: Nearly a year’s worth of Black Basta chat logs have been released on Telegram, providing detailed insight into the groups operational workflow, reconnaissance activities, and specific userID and details o
Huntress
Huntress 24/7 Security Operations Center | Huntress
blogs_huntress·CVSS 8.4
[HIGH] Huntress 24/7 Security Operations Center | Huntress
24/7 Managed SOC Services & Monitoring
Whether an incident goes down at 3:00 p.m. or 3:00 a.m., the Huntress elite AI-assisted SOC team has your back with always-on SOC monitoring and rapid response.
People-Powered Threat Hunting
Automation alone won’t cut it against today’s hackers, and this is where our human security experts come in. The Huntress Security Operations Center (SOC) fills a critical gap in your security with a team of always-on, global badasses on your side. They investigate threats, analyze tradecraft, and shut down attackers 24/7—all so you don’t have to.
8 min
Industry-leading mean time to respond (MTTR)*
Threat experts
across the globe
98.8%
Customer support satisfaction score
False positive rate
across 4M endpoints
Confirmed high/critical incident reports sen
Huntress
SlashAndGrab: The ConnectWise ScreenConnect Vulnerability Explained | Huntress
blogs_huntress·CVSS 8.4
[HIGH] SlashAndGrab: The ConnectWise ScreenConnect Vulnerability Explained | Huntress
The “exploit” is trivial and embarrassingly easy.
These are words you never want to hear when talking about vulnerabilities in a widely used product, but that’s exactly how John Hammond, Principal Security Researcher at Huntress, described the ability to exploit the ConnectWise ScreenConnect vulnerabilities in the Huntress Team’s technical analysis. Then you see a headline in TechCrunch that reads, “‘I can’t sugarcoat it — this shit is bad,' said Huntress' CEO,” and you know this is not your everyday cybersecurity event.
## A Non-Technical Breakdown of the SlashAndGrab ScreenConnect Vulnerability
ConnectWise ScreenConnect is a popular software used to monitor and manage systems remotely. On February 19th, ConnectWise issued an advisory that all versions below 23.9.8 of their on-prem ver
Zscaler
CISO Monthly Roundup, March 2024: Zscaler ThreatLabz 2024 AI Security Report, Tweaks infostealer, Windows/Android RATs, and XZ Utils and ConnectWise vulnerabilities | CXO Revolutionaries
blogs_zscaler
CISO Monthly Roundup, March 2024: Zscaler ThreatLabz 2024 AI Security Report, Tweaks infostealer, Windows/Android RATs, and XZ Utils and ConnectWise vulnerabilities | CXO Revolutionaries
## CISO Monthly Roundup, March 2024: Zscaler ThreatLabz 2024 AI Security Report, Tweaks infostealer, Windows/Android RATs, and XZ Utils and ConnectWise vulnerabilities
Deepen Desai
Contributor
Zscaler
## Apr 8, 2024
CISO Monthly Roundup, March 2024: Zscaler ThreatLabz 2024 AI Security Report, Tweaks infostealer, Windows/Android RATs, and XZ Utils and ConnectWise vulnerabilities
The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with executive insights on other cyber-related subjects. This month we released the Zscaler ThreatLabz 2024 AI Security Report, investigated Tweaks infostealer, analyzed Windows/Android RATs, and reviewed vulnerabilities in ConnectWise and XZ Utils.
## Zscaler ThreatLabz 2024 AI Security Report
ThreatLabz researchers
Huntress
Guide: How to Know if your ScreenConnect Server is Hacked | Huntress
blogs_huntress·CVSS 8.4
CVE-2024-1708 [HIGH] Guide: How to Know if your ScreenConnect Server is Hacked | Huntress
You’ve probably seen it by now, but there was a major ConnectWise ScreenConnect vulnerability (CVE-2024-1708 and CVE-2024-1709) – which we’re calling “SlashAndGrab” – that’s been shared across the cybersecurity community. Here’s what you need to know to keep yourself patched up.
The patched versions (23.9.8 or newer) are available from ConnectWise. Anything older should be patched immediately as it is considered vulnerable. Do NOT wait to deploy this update. ConnectWise has removed license restrictions, allowing partners no longer under maintenance to upgrade to the latest version.
## What Should You Watch Out For?
Work under the assumption that you’ve already been compromised. Even if you have already patched or you run other security solutions, no matter what version of ScreenConnect
Huntress
Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress
blogs_huntress·CVSS 8.4
[HIGH] Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress
On February 19, 2024, ConnectWise published a security advisory for ScreenConnect version 23.9.8, referencing two vulnerabilities and software weaknesses. The same day, Huntress researchers worked to understand this threat and successfully recreated a proof-of-concept exploit demonstrating its impact.
This write-up will discuss our analysis efforts and the technical details behind this attack, which we’re coining as “SlashAndGrab.”
The ConnectWise advisory indicated that in all versions of ScreenConnect below 23.9.8 there were two vulnerabilities:
1. CVE-2024-1709: Authentication bypass using an alternate path or channel (CWE-288)
2. CVE-2024-1708: Improper limitation of a pathname to a restricted directory (“path traversal”) (CWE-22)
The first vulnerability was disclosed with a critic
Huntress
CVE-2024-1708 (ScreenConnect Zip Slip) Vulnerability: Analysis & Detection | Huntress
blogs_huntress·CVSS 8.4
CVE-2024-1708 [HIGH] CVE-2024-1708 (ScreenConnect Zip Slip) Vulnerability: Analysis & Detection | Huntress
CVE-2024-1708 Vulnerability
Published:02/20/2026
Written by: Nadine Rozell
CVEs are Common Vulnerabilities and Exposures - unique identifiers assigned to publicly known cybersecurity vulnerabilities.
CVE-2024-1708 is a high-severity path traversal vulnerability in ConnectWise ScreenConnect (now ConnectWise Access). It is widely known as the second half of the devastating " SlashAndGrab " exploit chain.
While CVE-2024-1709 allows attackers to bypass authentication, CVE-2024-1708 is the mechanism that delivers the payload. It allows an attacker (or a compromised admin) to overwrite critical files on the server, leading to full Remote Code Execution (RCE).
This page breaks down the mechanics of this "Zip Slip" vulnerability, how it fueled massive ransomware campaigns, and how to ensure
Huntress
Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8 | Huntress
blogs_huntress·CVSS 8.4
CVE-2024-1709 [HIGH] Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8 | Huntress
UPDATE: Read our full analysis of CVE-2024-1709 & CVE-2024-1708 and detection guidance here.
UPDATE: We have proactively deployed a temporary hotfix to over 1000 vulnerable systems managed by Huntress. It's crucial people still update to the latest official version ASAP. During research and creation of a Proof-of-Concept exploit to validate the vulnerability, Huntress identified a way to temporarily hot-fix vulnerable systems while administrators work to patch their systems.
UPDATE: Detection guidance from Huntress has been issued.
Huntress security researchers successfully created and validated a proof-of-concept exploit for the vulnerabilities referenced to in the latest February 19 ConnectWise ScreenConnect advisory.
1. CWE-288 “Authentication bypass using an alternate path or chann
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypasshttps://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypasshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1708https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
2024-02-21
Published
2026-04-28
Added to CISA KEV
Exploited in the wild