CVE-2024-1709
published 2024-02-21CVE-2024-1709: ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an…
PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-02-29
Exploited in the wild
EPSS
99.96%
100.0th percentile
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel
vulnerability, which may allow an attacker direct access to confidential information or
critical systems.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| connectwise | screenconnect | < 23.9.8 | 23.9.8 |
| connectwise | screenconnect | <= 23.9.7 | — |
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
ConnectWise ScreenConnect Authentication Bypass Vulnerability
cisa·2024-02-22·CVSS 10.0
CVE-2024-1709 [CRITICAL] CWE-288 ConnectWise ScreenConnect Authentication Bypass Vulnerability
Vulnerability: ConnectWise ScreenConnect Authentication Bypass Vulnerability
Affected: ConnectWise ScreenConnect
ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8; https://nvd.nist.gov/vuln/detail/CVE-2024-1709
Remediation Due Date: 2024-02-29
GHSA
GHSA-cg3j-75xh-7fv3: ConnectWise ScreenConnect 23
ghsa_unreviewed·2024-02-21
CVE-2024-1709 [CRITICAL] CWE-288 GHSA-cg3j-75xh-7fv3: ConnectWise ScreenConnect 23
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel
vulnerability, which may allow an attacker direct access to confidential information or
critical systems.
VulnCheck
ConnectWise ScreenConnect Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2024·CVSS 8.4
CVE-2024-1708 [HIGH] ConnectWise ScreenConnect Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ConnectWise ScreenConnect Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker
the ability to execute remote code or directly impact confidential data or critical systems.
Affected: ConnectWise ScreenConnect
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://infosec.exchange/@SophosXOps/111975043941611370; https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/; https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation
VulnCheck
ConnectWise ScreenConnect Authentication Bypass Vulnerability
vulncheck·2024·CVSS 10.0
CVE-2024-1709 [CRITICAL] CWE-288 ConnectWise ScreenConnect Authentication Bypass Vulnerability
ConnectWise ScreenConnect Authentication Bypass Vulnerability
ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.
Affected: ConnectWise ScreenConnect
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-21&host_type=src&vulnerability=cve-2024-1709; https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1
Suricata
ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted SetupWizard Auth Bypass CWE-288 (CVE-2024-1709)
suricata·2024-02-21·CVSS 10.0
CVE-2024-1709 [CRITICAL] ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted SetupWizard Auth Bypass CWE-288 (CVE-2024-1709)
ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted SetupWizard Auth Bypass CWE-288 (CVE-2024-1709)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted SetupWizard Auth Bypass CWE-288 (CVE-2024-1709)"; flow:established,to_server; flowbits:set,ET.ScreenConnectAuthBypass.Attempt; http.uri; content:"/SetupWizard.aspx/"; startswith; fast_pattern; reference:url,www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8; reference:cve,2024-1709; classtype:attempted-admin; sid:2050988; rev:2; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_02_21, cve CVE_2024_1709, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity
Suricata
ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - SetupWizard Auth Bypass Vulnerable Version Detected (CVE-2024-1709 CVE-2024-1708)
suricata·2024-02-21·CVSS 8.4
CVE-2024-1709 [HIGH] ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - SetupWizard Auth Bypass Vulnerable Version Detected (CVE-2024-1709 CVE-2024-1708)
ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - SetupWizard Auth Bypass Vulnerable Version Detected (CVE-2024-1709 CVE-2024-1708)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - SetupWizard Auth Bypass Vulnerable Version Detected (CVE-2024-1709 CVE-2024-1708)"; flow:established,to_client; http.server; content:"ScreenConnect/"; fast_pattern; startswith; pcre:"/^(?:[3456789]|2(?:[012]|3\.(?:[012345678]|9\.[1234567]))?|1\d?)\./R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,s1creenconnect.connectwise.com/download/archive; reference:url,www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8; reference:cve,2024-1709; reference:cve,2024-1708; classtype:web-application-ac
Suricata
ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)
suricata·2024-02-21·CVSS 10.0
CVE-2024-1709 [CRITICAL] ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)
ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)"; flow:established,to_server; flowbits:set,ET.ScreenConnectAuthBypass.UserCreateAttempt; http.method; content:"POST"; http.uri; content:"/SetupWizard.aspx/"; startswith; http.request_body; content:"userNameBox|3d|"; content:"emailBox|3d|"; content:"passwordBox|3d|"; reference:url,github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/main/watchtowr-vs-ConnectWise_2024-02-21.py; reference:url,www.connectwise.com/company/trust/security-b
Suricata
ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Successful User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)
suricata·2024-02-21·CVSS 10.0
CVE-2024-1709 [CRITICAL] ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Successful User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)
ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Successful User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Successful User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)"; flow:established,to_client; flowbits:isset,ET.ScreenConnectAuthBypass.UserCreateAttempt; http.stat_code; content:"200"; http.server; content:"ScreenConnect/"; startswith; fast_pattern; reference:url,github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/main/watchtowr-vs-ConnectWise_2024-02-21.py; reference:url,www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8; reference:cve,2024-1709; classtype:
Suricata
ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Successful SetupWizard Auth Bypass CWE-288 (CVE-2024-1709)
suricata·2024-02-21·CVSS 10.0
CVE-2024-1709 [CRITICAL] ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Successful SetupWizard Auth Bypass CWE-288 (CVE-2024-1709)
ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Successful SetupWizard Auth Bypass CWE-288 (CVE-2024-1709)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Successful SetupWizard Auth Bypass CWE-288 (CVE-2024-1709)"; flow:established,to_client; flowbits:isset,ET.ScreenConnectAuthBypass.Attempt; http.stat_code; content:"200"; http.server; content:"ScreenConnect/"; startswith; fast_pattern; http.response_body; content:"wizard"; nocase; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8; reference:cve,2024-1709; classtype:successful-admin; sid:2050989; rev:1; metadata:attack_target Web_Server, tls_state TLSDecry
Metasploit
ConnectWise ScreenConnect Unauthenticated Remote Code Execution
metasploit
ConnectWise ScreenConnect Unauthenticated Remote Code Execution
ConnectWise ScreenConnect Unauthenticated Remote Code Execution
This module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage this to achieve RCE by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7 and below are affected.
Nuclei
ConnectWise ScreenConnect 23.9.7 - Authentication Bypass
nuclei·CVSS 10.0
CVE-2024-1709 [CRITICAL] ConnectWise ScreenConnect 23.9.7 - Authentication Bypass
ConnectWise ScreenConnect 23.9.7 - Authentication Bypass
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
Template:
id: CVE-2024-1709
info:
name: ConnectWise ScreenConnect 23.9.7 - Authentication Bypass
author: johnk3r
severity: critical
description: |
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
impact: |
Unauthenticated attackers can bypass authentication to access confidential information or critical systems, potentially leading to c
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Hackernews
CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
blogs_hackernews·2026-04-29·CVSS 8.4
CVE-2024-1708 [HIGH] CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation.
The vulnerabilities are listed below -
CVE-2024-1708 (CVSS score: 8.4) - A path traversal vulnerability in ConnectWise ScreenConnect that could allow an attacker to execute remote code or directly impact confidential data and critical systems. (Fixed in February 2024)
CVE-2026-32202 (CVSS score: 4.3) - A p
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Unit42
Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
blogs_unit42·2025-12-12·CVSS 10.0
CVE-2025-55182 [CRITICAL] Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
Threat Research Center
High Profile Threats
Vulnerabilities
## Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
Justin Moore
Published: December 12, 2025
High Profile Threats
Vulnerabilities
Cobalt Strike
CVE-2025-55182
CVE-2025-66478
Remote Code Execution
Web shells
## Executive Summary
Unit 42 stopped monitoring this threat and updating the brief on Jan. 30, 2025. Please refer to Vercel's website for the latest information.
## Update Dec. 12, 2025
Unit 42 uncovered the previously unseen KSwapDoor. This Linux backdoor was initially mistaken for BPFDoor.
Key features include:
P2P mesh network: Enables multi-hop routing for robust C2 communications
Strong encryption: Uses AES-256-CFB with Diffie-Hellman key exchange
Stealth an
Unit42
Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
blogs_unit42·2025-12-12·CVSS 10.0
CVE-2025-55182 [CRITICAL] Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
## Executive Summary
Unit 42 stopped monitoring this threat and updating the brief on Jan. 30, 2025. Please refer to Vercel's website for the latest information.
### Update Dec. 12, 2025
Unit 42 uncovered the previously unseen KSwapDoor. This Linux backdoor was initially mistaken for BPFDoor.
Key features include:
- P2P mesh network: Enables multi-hop routing for robust C2 communications
- Strong encryption: Uses AES-256-CFB with Diffie-Hellman key exchange
- Stealth and persistence: Mimics a legitimate Linux kernel swap daemon
- Full remote access: Offers an interactive shell, command execution, file operations and lateral movement scanning
### Update Dec. 9, 2025
Unit 42 has identified activity that reportedly shares overlap with North Korean (DPRK) Contagious Interview tooling, t
Bleepingcomputer
CISA orders feds to patch VMware Tools flaw exploited by Chinese hackers
blogs_bleepingcomputer·2025-10-30·CVSS 7.8
CVE-2025-41244 [HIGH] CISA orders feds to patch VMware Tools flaw exploited by Chinese hackers
## CISA orders feds to patch VMware Tools flaw exploited by Chinese hackers
## Sergiu Gatlan
On Thursday, CISA warned U.S. government agencies to secure their systems against attacks exploiting a high-severity vulnerability in Broadcom's VMware Aria Operations and VMware Tools software.
Tracked as CVE-2025-41244 and patched one month ago , this vulnerability allows local attackers with non-administrative privileges to a virtual machine (VM) with VMware Tools and managed by Aria Operations with SDMP enabled to escalate privileges to root on the same VM.
CISA added the flaw to its Known Exploited Vulnerabilities catalog , which lists security bugs the cybersecurity agency has flagged as exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until N
Bleepingcomputer
Chinese hackers exploiting VMware zero-day since October 2024
blogs_bleepingcomputer·2025-09-30·CVSS 9.8
CVE-2025-41244 [CRITICAL] Chinese hackers exploiting VMware zero-day since October 2024
## Chinese hackers exploiting VMware zero-day since October 2024
## Sergiu Gatlan
Broadcom has patched a high-severity privilege escalation vulnerability in its VMware Aria Operations and VMware Tools software, which has been exploited in zero-day attacks since October 2024.
While the American technology giant didn't tag this security bug ( CVE-2025-41244 ) as exploited in the wild, it thanked NVISO threat researcher Maxime Thiebaut for reporting the bug in May.
However, yesterday, the European cybersecurity company disclosed that this vulnerability was first exploited in the wild beginning mid-October 2024 and linked the attacks to the UNC5174 Chinese state-sponsored threat actor.
"To abuse this vulnerability, an unprivileged local attacker can stage a malicious binary within any of
Securelist
Exploits and vulnerabilities in Q2 2025
blogs_securelist·2025-08-27·CVSS 8.2
CVE-2025-32433 [HIGH] Exploits and vulnerabilities in Q2 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
CVE-2025-32433: vulnerability in the SSH server, part of the Erlang/OTP framework
CVE-2025-6218: directory traversal vulnerability in WinRAR
CVE-2025-3052: insecure data access vulnerability in NVRAM, allowing bypass of UEFI signature checks
CVE-2025-49113: insecure deserialization vulnerability in Roundcube Webmail
CVE-2025-1533: stack overflow vulnerability in the AsIO3.sys driver
Conclusion and advice
Authors
Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published i
Securelist
Vulnerability landscape analysis for Q2 2025
blogs_securelist·2025-08-27
Vulnerability landscape analysis for Q2 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browsers, as well as user and web applications. Based on our analysis, threat actors continue to leverage vulnerabilities in real-world attacks as a means of gaining access to user systems, just like in previous periods.
This report also describes known vulnerabilities used with popular C2 frameworks during the first half of 2025.
## Statistics on registered vulnera
Huntress
Ten Years of Resilience, Innovation & Community-Driven Defense
blogs_huntress·2025-08-25·CVSS 8.8
[HIGH] Ten Years of Resilience, Innovation & Community-Driven Defense
The world of cybersecurity has been a wild ride over the last decade. As attackers stepped up their game year over year, the security community responded and adapted with resilience and ingenuity to each new wave of threats.
Attackers tested our limits time and time again with bolder, more cutting-edge cyberattacks: ransomware, supply chain compromises, zero-day vulnerabilities, and more. But every single breach, compromise, and exploited vulnerability taught us something new, pushed us harder to innovate and stay steps ahead, brought our security community closer together, and rallied us to wreck hackers.
As we celebrate our 10th anniversary at Huntress this month, we’re pausing to look back at the events that have shaped the entire cybersecurity community. Understanding where we've bee
Huntress
137 Key Cybersecurity Statistics for 2026 and Beyond
blogs_huntress·2025-06-12
137 Key Cybersecurity Statistics for 2026 and Beyond
## Top cybersecurity facts
Staying ahead in cybersecurity means getting the lay of the land—what's working, what's not, and what's changing. This cybersecurity data isn't just numbers; it’s deep insights into current digital defense risks, from password statistics revealing ongoing challenges to newer problems like remote work best practices .
More than a quarter (28%) of cybersecurity professionals say that employees in remote and hybrid work environments using the same or weak passwords is their biggest challenge. ( Huntress )
Cyber safety concerns for remote and hybrid workers influenced 61% of businesses' decisions to return to the office after the COVID-19 pandemic. ( Huntress )
An overwhelming majority (90%) of cybersecurity professionals feel confident in their organization's ab
Sentinelone
Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
blogs_sentinelone·2025-06-09
Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
## Executive Summary
- In October 2024, SentinelLABS observed and countered a reconnaissance operation targeting SentinelOne, which we track as part of a broader activity cluster named PurpleHaze.
- At the beginning of 2025, we also identified and helped disrupt an intrusion linked to a wider ShadowPad operation. The affected organization was responsible for managing hardware logistics for SentinelOne employees at the time.
- A thorough investigation of SentinelOne’s infrastructure, software, and hardware assets confirmed that the attackers were unsuccessful and SentinelOne was not compromised by any of these activities.
- The PurpleHaze and ShadowPad activity clusters span multiple partially related intrusions into different targets occurring between July 2024 and March 2025. The victimo
Bleepingcomputer
ConnectWise breached in cyberattack linked to nation-state hackers
blogs_bleepingcomputer·2025-05-29
ConnectWise breached in cyberattack linked to nation-state hackers
## ConnectWise breached in cyberattack linked to nation-state hackers
## Lawrence Abrams
IT management software firm ConnectWise says a suspected state-sponsored cyberattack breached its environment and impacted a limited number of ScreenConnect customers.
"ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers," ConnectWise shared in a brief advisory .
"We have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all affected customers and are coordinating with law enforcement."
ConnectWise is a Florida-based software company that provides IT management, RMM (remote monitoring and management), cybe
Tenable
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
blogs_tenable·2025-04-25
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
Crying Out Cloud Newsletter - March 2025 | Wiz
blogs_wiz·2025-03-01·CVSS 9.8
CVE-2025-0108 [CRITICAL] Crying Out Cloud Newsletter - March 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype – Authentication Bypass Vulnerability in PAN-OS Exploited in-the-Wild
Attackers are actively exploiting CVE-2025-0108, a high-severity authentication bypass vulnerability in Palo Alto Networks PAN-OS firewalls. The flaw allows unauthenticated attackers with network access to invoke PHP scripts and potentially compromise firewall integrity and confidentiality. Researchers at Assetnote disclosed exploitation details, and active attacks have been observed since February 13, 2025.
At first, the value of this vulnerability for attackers was slightly unclear, since it “
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Bleepingcomputer
BadPilot network hacking campaign fuels Russian SandWorm attacks
blogs_bleepingcomputer·2025-02-12
BadPilot network hacking campaign fuels Russian SandWorm attacks
## BadPilot network hacking campaign fuels Russian SandWorm attacks
## Bill Toulas
A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
The threat actor has been active since at least 2021 and is also responsible for breaching networks of organizations in energy, oil and gas, telecommunications, shipping, and arms manufacturing sectors.
Microsoft's Threat Intelligence team says that the actor is dedicated to achieving initial access to target systems, establishing persistence, and maintaining presence to allow other APT44 subgroups with post-compromise expertise to take over.
"We have also observed the initial access subgroup
Huntress
2024: Revisiting a Year in Threats | Huntress
blogs_huntress·2024-12-31·CVSS 8.4
[HIGH] 2024: Revisiting a Year in Threats | Huntress
Before you pop the bubbly and count down to a new year, let’s reminisce for a moment. Looking back on the past 365 days, it was clear cybercriminals had no intention of slowing down. But neither did we. Our analysts worked tirelessly to help ensure our partners and our community could remain alert, informed, and protected. Here’s a snapshot of the milestones and lessons from 2024 that’ll guide us as we prepare for what lies ahead in 2025.
## ConnectWise ScreenConnect Vulnerabilities
The year came in with a fury. In February, critical vulnerabilities in ScreenConnect emerged, allowing attackers to bypass authentication with ease. Our team responded swiftly with in-depth research, detection guidance, a hotfix, and detailed analyses to keep our community informed about post-exploitation tra
Huntress
Top 3 Cybersecurity Threats of 2024 (So Far) | Huntress
blogs_huntress·2024-10-08·CVSS 10.0
[CRITICAL] Top 3 Cybersecurity Threats of 2024 (So Far) | Huntress
Cybersecurity is always full of surprises, and 2024 has been no exception. We’re only in October, and we’ve seen some severe curveballs come our way. Hackers have gotten dirtier than ever this year, as evidenced by three major threats that have kept us all on our toes:
RMM abuse
BYOVD attacks
WebDAV abuse
Let’s break down this trifecta together, shall we? After all, we’re all in this together, and with the right insights and strategies, we can embrace a proactive approach that allows our organizations not only to survive but also empowers us all to thrive.
## Threat #1: RMM Abuse
One of the most prevalent and dangerous threats we’ve seen in 2024 is the abuse of remote monitoring and management (RMM) tools . Since January, the number of RMM tools used in cybersecurity incidents has in
Qualys
What Is Black Basta Ransomware and How to Mitigate Attack
blogs_qualys·2024-09-19·CVSS 5.5
[MEDIUM] What Is Black Basta Ransomware and How to Mitigate Attack
## Table of Contents
Introduction
Tools, Techniques, and Vulnerabilities Exploited
Technical Analysis
Effective Hunting Queries
Mapping MITRE ATT&CK: Key Techniques
Indicators of Compromise (IoC)
Stay to the Left of Boom of Emerging Threats
## Introduction
Black Basta is a ransomware group operating as ransomware-as-a-service (RaaS), first spotted in April 2022. It is known to use double extortion techniques where the group demands payment for the decryption and non-release of stolen data. Earlier versions of Black Basta share many similarities with Conti Ransomware.
A wide range of industries and critical infrastructure in North America, Europe, and Australia have been impacted by Black Basta. To date, 500+ organizations have been affected globally by Black Basta affiliates gain
Unit42
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
blogs_unit42·2024-09-10
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
## Executive Summary
Repellent Scorpius is a new ransomware-as-a-service (RaaS) group that distributes Cicada3301 ransomware. The ransomware group appears to have first emerged in May 2024, with a multi-extortion operation.
This report based on Unit 42 Incident Response engagements provides a technical analysis of the ransomware employed by the Repellent Scorpius group. It also covers other tactics, techniques and procedures (TTPs) observed during this attack.
In addition, we discuss Repellent Scorpius' connection to a historical incident involving data exfiltration, predating the group's operation under the Cicada3301 brand, as well as the ransomware group’s plans going forward. Finally, we provide a walkthrough of an updated encryptor obtained through external sources, highlighting th
Unit42
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
blogs_unit42·2024-09-10·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
## Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Navin Thomas
Jerome Tujague
Published: September 10, 2024
Cybercrime
High Profile Threats
Ransomware
Threat Actor Groups
Threat Research
ALPHV
Ambitious Scorpius
Bashful Scorpius
BlackCat ransomware
Cicada3301
CVE-2024-1708
CVE-2024-1709
Data exfiltration
Leak site
Nokoyawa
RaaS
Repellent Scorpius
## Executive Summary
Repellent Scorpius is a new ransomware-as-a-service (RaaS) group that distributes Cicada3301 ransomware. The ransomware group appears to have first emerged in May 2024, with a multi-extortion operation.
This report based on Unit 42 Incident Response engagements provides a technical analysis of the ransomware employed by the Repellent Scorpius group. It also covers other t
Unit42
Ransomware Review: First Half of 2024
blogs_unit42·2024-08-09·CVSS 9.1
CVE-2018-13379 [CRITICAL] Ransomware Review: First Half of 2024
Threat Research Center
Trend Reports
Ransomware
## Ransomware Review: First Half of 2024
Amanda Tanner
Kristopher Bleich
Published: August 9, 2024
Cybercrime
Ransomware
Trend Reports
Alpha
ALPHV
Ambitious Scorpius
Anemic Scorpius
AvosLocker
Bashful Scorpius
Black Basta
Blackcat
Blackout
BreachForums
Burning Scorpius
Buzzing Scorpius
Chubby Scorpius
CL0P
CVE-2018-13379
CVE-2020-1472
CVE-2024-1708
CVE-2024-1709
CVE-2024-26169
CVE-2024-27198
CVE-2024-4577
Dark Scorpius
DoNex
DragonForce
Drowsy Scorpius
Flighty Scorpius
GhostSec
Healthcare
Hive
Hunters International
Ignoble Scorpius
Karakurt
KelvinSecurity
Leak site
LockBit
Losttrust
LukaLocker
Manufacturing
Muddled Libra
Mushy Scorpius
MyData
NoEscape
Nokoyawa
Qilin
Quilong
Ragnar Locke
Unit42
Ransomware Review: First Half of 2024
blogs_unit42·2024-08-09
Ransomware Review: First Half of 2024
## Executive Summary
Unit 42 monitors ransomware and extortion leak sites closely to keep tabs on threat activity. We reviewed compromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762 new posts. This averages to approximately 294 posts a month and almost 68 posts a week. Of the 53 ransomware groups whose leak sites we monitored, six of the groups accounted for more than half of the compromises observed.
In February, we reported a 49% increase year-over-year in alleged victims posted on ransomware leak sites. So far, in 2024, comparing the first half of 2023 to the first half of 2024, we see an even further increase of 4.3%. The higher level of activity observed in 2023 was no fluke.
Activity from groups like Ambitious Scorpius (distributors of Blac
Qualys
Cybersecurity Threat Landscape 2024 Midyear Review
blogs_qualys·2024-08-06
Cybersecurity Threat Landscape 2024 Midyear Review
## Table of Contents
Key Takeaways from the Threat Landscape Report 2024
Vulnerability and Threat Analysis in the Cybersecurity Landscape 2024
Cyber Threat Landscape 2024 A Detailed Review
Key Statistics and Their Impact on the 2024 Cybersecurity Landscape
Mid-2024s Most Exploited Vulnerabilities in the Cybersecurity Landscape
Conclusion
As we navigate the complexities of 2024, it’s crucial to pause and reflect on the evolving threat landscape that surrounds us. This moment offers a unique opportunity to scrutinize our triumphs and missteps, understand the events that have decisively shaped our environment, and consider those that have subtly influenced it. By extracting key lessons from our recent experiences, we can fortify our strategies and prepare more effectively for the emerg
Huntress
SlashAndGrab: The ConnectWise ScreenConnect Vulnerability Explained | Huntress
blogs_huntress·2024-08-03·CVSS 8.4
[HIGH] SlashAndGrab: The ConnectWise ScreenConnect Vulnerability Explained | Huntress
The “exploit” is trivial and embarrassingly easy.
These are words you never want to hear when talking about vulnerabilities in a widely used product, but that’s exactly how John Hammond, Principal Security Researcher at Huntress, described the ability to exploit the ConnectWise ScreenConnect vulnerabilities in the Huntress Team’s technical analysis . Then you see a headline in TechCrunch that reads, “‘I can’t sugarcoat it — this shit is bad,' said Huntress' CEO,” and you know this is not your everyday cybersecurity event.
## A Non-Technical Breakdown of the SlashAndGrab ScreenConnect Vulnerability
ConnectWise ScreenConnect is a popular software used to monitor and manage systems remotely. On February 19th, ConnectWise issued an advisory that all versions below 23.9.8 of their on-prem ve
Zscaler
ScreenConnect Vulnerabilities | ThreatLabz
blogs_zscaler·2024-03-11·CVSS 10.0
[CRITICAL] ScreenConnect Vulnerabilities | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bleepingcomputer
ScreenConnect flaws exploited to drop new ToddlerShark malware
blogs_bleepingcomputer·2024-03-04·CVSS 8.4
CVE-2024-1708 [HIGH] ScreenConnect flaws exploited to drop new ToddlerShark malware
## ScreenConnect flaws exploited to drop new ToddlerShark malware
## Bill Toulas
The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddlerShark.
Kimsuky (aka Thallium and Velvet Chollima) is a North Korean state-sponsored hacking group known for cyber espionage attacks on organizations and governments worldwide.
The threat actors are exploiting authentication bypass and remote code execution flaws disclosed on February 20, 2024, when ConnectWise urged ScreenConnect customers to immediately upgrade their servers to version 23.9.8 or later.
Public exploits for the two flaws were released the next day , and hackers, including ransomware actors , quickly began leve
Checkpoint
4th March – Threat Intelligence Report
blogs_checkpoint·2024-03-04
CVE-2023-46805 4th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 4th March, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
UnitedHealth Group confirmed its subsidiary was attacked by the ALPHV ransomware gang. 6 terabytes of data were stolen in the attack, and Change Healthcare, a crucial intermediary between pharmacies and insurance companies, was forced to disconnect its systems on February 21. The disruption impacted U.S. military clinics and ho
Wiz
Crying Out Cloud - March 2024 Newsletter | Wiz
blogs_wiz·2024-03-01·CVSS 8.6
CVE-2024-21626 [HIGH] Crying Out Cloud - March 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights!
## 🐞 High Profile Vulnerabilities
Leaky Vessels: Docker and runc Container Escape Vulnerabilities
Several vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, exploiting these vulnerabilities could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating further attacks, particularly with superuser privileges.
According to Wiz data, 18% percent of cloud environments have resources
Bleepingcomputer
Ransomware gang claims they stole 6TB of Change Healthcare data
blogs_bleepingcomputer·2024-02-28·CVSS 10.0
[CRITICAL] Ransomware gang claims they stole 6TB of Change Healthcare data
## Ransomware gang claims they stole 6TB of Change Healthcare data
## Sergiu Gatlan
In a statement published on their dark web leak site today, BlackCat said that they allegedly stole 6TB of data from Change Healthcare's network belonging to "thousands of healthcare providers, insurance providers, pharmacies, etc."
"Being inside a production network one can imagine the amount of critical and sensitive data that can be found. The data relates to all Change Health clients that have sensitive data being processed by the company," BlackCat said.
The ransomware gang claims that they stole source code for Change Healthcare solutions and sensitive information belonging to many partners, including the U.S. military's Tricare healthcare program, the Medicare federal health insurance program, CV
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Ausnutzung von Schwachstellen
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus Feb 27, 2024 Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized acc
Bleepingcomputer
Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
blogs_bleepingcomputer·2024-02-27·CVSS 8.4
CVE-2024-1709 [HIGH] Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
## Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
## Sergiu Gatlan
Image: Midjourney
The Black Basta and Bl00dy ransomware gangs have joined widespread attacks targeting ScreenConnect servers unpatched against a maximum severity authentication bypass vulnerability.
This critical flaw (CVE-2024-1709) allows attackers to create admin accounts on Internet-exposed servers, delete all other users, and take over any vulnerable instance.
CVE-2024-1709 has been under active exploitation since last Tuesday, one day after ConnectWise released security updates and proof-of-concept exploits were released by several cybersecurity companies.
Last week, ConnectWise also fixed a high-severity path traversal vulnerability (CVE-2024-1708) that can only be abused by threat actors with
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits & Vulnerabilities
# Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus
2024/02/27
Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software (CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized access an
Bleepingcomputer
FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks
blogs_bleepingcomputer·2024-02-27
FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks
## FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks
## Sergiu Gatlan
The FBI linked BlackCat to over 60 breaches during its first four months of activity (between November 2021 and March 2022) and said the gang has raked in at least $300 million in ransoms from over 1,000 victims until September 2023.
"Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized," the three federal agencies warned in today's joint advisory .
"This is likely in response to the ALPHV Blackcat administrator's post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023."
The FBI, CISA, and HHS advised critical infrastructure organizations to take nece
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits & Vulnerabilities
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus Feb 27, 2024 Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized access
Sentinelone
February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
blogs_sentinelone·2024-02-27
February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
February saw the U.S. government take significant actions against cybercrime, continuing the current administration’s policy of using all the resources of the state to tackle the problem head on. Nation-state actors, meanwhile, have taken to leveraging AI to enhance their operations and attacks.
In this month’s update, we also highlight a crop of CVEs in remote management and monitoring (RMM) tools that threat actors are exploiting in the wild, and as always we have the latest in ransomware updates.
## Ransomware Reporting and Underreporting
February 2024 has seen several impactful ransomware attacks reported, including:
Actor
Targeted Industry
LockBit
Medical
BackMyData
Medical
Black Basta
Automotive
Cactus
Manufacturing
Concerns remain, however, that many ransomware incidents ar
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits & Vulnerabilities
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus 2024/02/27 Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized access a
Sentinelone
February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
blogs_sentinelone·2024-02-27
February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs
February saw the U.S. government take significant actions against cybercrime, continuing the current administration’s policy of using all the resources of the state to tackle the problem head on. Nation-state actors, meanwhile, have taken to leveraging AI to enhance their operations and attacks.
In this month’s update, we also highlight a crop of CVEs in remote management and monitoring (RMM) tools that threat actors are exploiting in the wild, and as always we have the latest in ransomware updates.
## Ransomware Reporting and Underreporting
February 2024 has seen several impactful ransomware attacks reported, including :
Actor
Targeted Industry
LockBit
Medical
BackMyData
Medical
Black Basta
Automotive
Cactus
Manufacturing
Concerns remain, however, that many ransomware incide
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits y vulnerabilidades
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus Feb 27, 2024 Read time: ( words)
Save to Folio
On February 19, 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorized acces
Trendmicro
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
blogs_trendmicro·2024-02-27·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Exploits & Vulnerabilities
## Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry.
By: Ian Kenefick, Junestherry Dela Cruz, Peter Girnus Feb 27, 2024 Read time: ( words)
Save to Folio
On 19 February 2024, ConnectWise disclosed significant vulnerabilities within its ScreenConnect software ( CVE-2024-1708 and CVE-2024-1709), which specifically targeted versions 23.9.7 and earlier. These security flaws have opened the door for malicious actors to gain unauthorised access
Bleepingcomputer
UnitedHealth subsidiary Optum hack linked to BlackCat ransomware
blogs_bleepingcomputer·2024-02-26·CVSS 10.0
[CRITICAL] UnitedHealth subsidiary Optum hack linked to BlackCat ransomware
## UnitedHealth subsidiary Optum hack linked to BlackCat ransomware
## Sergiu Gatlan
Since then, Optum has been providing daily incident updates on a dedicated status page , warning that Change Healthcare's systems are still offline to prevent further impact and contain the breach, with the outage currently impacting most services.
"We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue," Optum says.
"We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online."
## BlackCat links
Since the attack hit its systems, ChangeHealthcare has been conducting Zoom calls with partners in the healthcare industry
Checkpoint
26th February – Threat Intelligence Report
blogs_checkpoint·2024-02-26
CVE-2024-1708 26th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 26th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 26th February, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The American Prince George’s County Public Schools (PGCPS) has experienced a ransomware attack that compromised the personal data of nearly 100K individuals. The attack exposed individuals’ full names, financial account information, and Social Security Numbers. The Rhysida ransomware gang is reportedly responsible for t
Huntress
Guide: How to Know if your ScreenConnect Server is Hacked | Huntress
blogs_huntress·2024-02-23·CVSS 8.4
CVE-2024-1708 [HIGH] Guide: How to Know if your ScreenConnect Server is Hacked | Huntress
You’ve probably seen it by now, but there was a major ConnectWise ScreenConnect vulnerability ( CVE-2024-1708 and CVE-2024-1709 ) – which we’re calling “ SlashAndGrab ” – that’s been shared across the cybersecurity community. Here’s what you need to know to keep yourself patched up.
The patched versions ( 23.9.8 or newer ) are available from ConnectWise. Anything older should be patched immediately as it is considered vulnerable. Do NOT wait to deploy this update. ConnectWise has removed license restrictions, allowing partners no longer under maintenance to upgrade to the latest version.
## What Should You Watch Out For?
Work under the assumption that you’ve already been compromised. Even if you have already patched or you run other security solutions, no matter what version of ScreenCo
Unit42
Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
blogs_unit42·2024-02-22·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
Unit 42
Published: February 21, 2024
High Profile Threats
Vulnerabilities
ConnectWise
CVE-2024-1708
CVE-2024-1709
Remote desktop
Vulnerability exploit
## Executive Summary
Feb. 13, 2024, ConnectWise was notified of two vulnerabilities impacting their remote desktop software application ScreenConnect. These vulnerabilities were first reported through their vulnerability disclosure channel in the ConnectWise Trust Center.
Feb. 19, 2024, ConnectWise publicly disclosed the vulnerabilities in a security bulletin .
As of Feb. 21, 2024, Unit 42 observed 18,188 unique IP addresses hosting ScreenConnect globally.
The newly disc
Unit42
Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
blogs_unit42·2024-02-22·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
## Executive Summary
Feb. 13, 2024, ConnectWise was notified of two vulnerabilities impacting their remote desktop software application ScreenConnect. These vulnerabilities were first reported through their vulnerability disclosure channel in the ConnectWise Trust Center.
Feb. 19, 2024, ConnectWise publicly disclosed the vulnerabilities in a security bulletin.
As of Feb. 21, 2024, Unit 42 observed 18,188 unique IP addresses hosting ScreenConnect globally.
The newly disclosed vulnerabilities have now been assigned the following CVEs:
CVE Number
Description
CVSS Severity
CVE-2024-1708
ScreenConnect 23.9.7 and prior are affected by a path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.
8.4
Bleepingcomputer
New ScreenConnect RCE flaw exploited in ransomware attacks
blogs_bleepingcomputer·2024-02-22·CVSS 8.4
[HIGH] New ScreenConnect RCE flaw exploited in ransomware attacks
## New ScreenConnect RCE flaw exploited in ransomware attacks
## Sergiu Gatlan
Image: Midjourney
Update February 23, 07:02 EST: Sophos published a report today saying that the ransomware payloads they spotted were built using the LockBit ransomware builder leaked online by a disgruntled malware developer in late September 2022.
The samples seen by Sophos in this week's attacks were a buhtiRansom LockBit variant dropped on 30 different customer networks and a second payload created using the leaked Lockbit builder (and dropped by a different threat actor).
"On February 22, 2024, Sophos X-Ops reported through our social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that app
Bleepingcomputer
ScreenConnect critical bug now under attack as exploit code emerges
blogs_bleepingcomputer·2024-02-21·CVSS 8.4
CVE-2024-1708 [HIGH] ScreenConnect critical bug now under attack as exploit code emerges
## ScreenConnect critical bug now under attack as exploit code emerges
## Bill Toulas
Both technical details and proof-of-concept exploits are available for the two vulnerabilities ConnectWise disclosed earlier this week for ScreenConnect, its remote desktop and access software.
A day after the vendor published the security issues, attackers started leveraging them in attacks.
CISA has assigned CVE-2024-1708 and CVE-2024-1709 identifiers to the the two security issues, which the vendor assessed as a maximum severity authentication bypass and a high-severity path traversal flaw that impact ScreenConnect servers 23.9.7 and earlier.
ConnectWise urged admins to update on-premise servers to version 23.9.8 immediately to mitigate the risk and clarified that those with instances on screencon
Huntress
Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress
blogs_huntress·2024-02-21·CVSS 8.4
[HIGH] Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress
On February 19, 2024, ConnectWise published a security advisory for ScreenConnect version 23.9.8, referencing two vulnerabilities and software weaknesses. The same day, Huntress researchers worked to understand this threat and successfully recreated a proof-of-concept exploit demonstrating its impact.
This write-up will discuss our analysis efforts and the technical details behind this attack, which we’re coining as “SlashAndGrab.”
The ConnectWise advisory indicated that in all versions of ScreenConnect below 23.9.8 there were two vulnerabilities:
CVE-2024-1709 : Authentication bypass using an alternate path or channel (CWE-288)
CVE-2024-1708 : Improper limitation of a pathname to a restricted directory (“path traversal”) (CWE-22)
The first vulnerability was disclosed with a critical
Huntress
Detection Guidance for ConnectWise CWE-288 | Huntress
blogs_huntress·2024-02-20·CVSS 8.4
CVE-2024-1709 [HIGH] Detection Guidance for ConnectWise CWE-288 | Huntress
UPDATE: Read our full analysis of CVE-2024-1709 & CVE-2024-1708 and detection guidance here.
On February 19, 2024, ConnectWise released an advisory related to the disclosure of two vulnerabilities affecting their ScreenConnect software. This advisory was tagged by ConnectWise with a severity of “Critical” and a priority of “1 - High.”
The Huntress team was able to successfully reproduce and weaponize the vulnerability for CWE-288 Authentication bypass using an alternate path of channel . The POC for this vulnerability was recreated with ease and required minimal technical knowledge and resources. Given this, Huntress immediately released a post on this vulnerability and its potential impact. While Huntress strongly recommends immediately patching any ConnectWise software to version 23.9.
Tenable
Frequently Asked Questions about ScreenConnect Vulnerabilities
blogs_tenable·2024-02-20
Frequently Asked Questions about ScreenConnect Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Huntress
Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8 | Huntress
blogs_huntress·2024-02-19·CVSS 8.4
CVE-2024-1709 [HIGH] Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8 | Huntress
UPDATE: Read our full analysis of CVE-2024-1709 & CVE-2024-1708 and detection guidance here.
UPDATE: We have proactively deployed a temporary hotfix to over 1000 vulnerable systems managed by Huntress. It's crucial people still update to the latest official version ASAP. During research and creation of a Proof-of-Concept exploit to validate the vulnerability, Huntress identified a way to temporarily hot-fix vulnerable systems while administrators work to patch their systems.
UPDATE: Detection guidance from Huntress has been issued .
Huntress security researchers successfully created and validated a proof-of-concept exploit for the vulnerabilities referenced to in the latest February 19 ConnectWise ScreenConnect advisory .
CWE-288 “Authentication bypass using an alternate path or channe
Sentinelone
Black Basta
blogs_sentinelone·2022-11-30
Black Basta
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Wiz
CVE-2025-14265 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-14265 [CRITICAL] CVE-2025-14265 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14265 :
ScreenConnect Server vulnerability analysis and mitigation
In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed.
Source : NVD
## 9.1
Score
Published December 11, 2025
Severity CRITICAL
CNA Score 9.
Threat Intel
Medusa Group (Medusa Group)
threat_intel
Medusa Group (Medusa Group)
# Threat Actor Profile: Medusa Group
ATT&CK ID: G1051
Also known as: Medusa Group
## Overview
Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” (Citation: CISA Medusa Group Medusa Ransomware March 2025) (Citation: Broadcom Medusa Ransomware Medusa Group March 2025) Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltra
Huntress
137 Key Cybersecurity Statistics for 2026 and Beyond | Huntress
blogs_huntress
137 Key Cybersecurity Statistics for 2026 and Beyond | Huntress
## Top cybersecurity facts
Staying ahead in cybersecurity means getting the lay of the land—what's working, what's not, and what's changing. This cybersecurity data isn't just numbers; it’s deep insights into current digital defense risks, from password statistics revealing ongoing challenges to newer problems like remote work best practices.
1. More than a quarter (28%) of cybersecurity professionals say that employees in remote and hybrid work environments using the same or weak passwords is their biggest challenge. (Huntress)
2. Cyber safety concerns for remote and hybrid workers influenced 61% of businesses' decisions to return to the office after the COVID-19 pandemic. (Huntress)
3. An overwhelming majority (90%) of cybersecurity professionals feel confident in their organization's
Huntress
Detection Guidance for ConnectWise CWE-288 | Huntress
blogs_huntress·CVSS 8.4
CVE-2024-1709 [HIGH] Detection Guidance for ConnectWise CWE-288 | Huntress
UPDATE: Read our full analysis of CVE-2024-1709 & CVE-2024-1708 and detection guidance here.
On February 19, 2024, ConnectWise released an advisory related to the disclosure of two vulnerabilities affecting their ScreenConnect software. This advisory was tagged by ConnectWise with a severity of “Critical” and a priority of “1 - High.”
The Huntress team was able to successfully reproduce and weaponize the vulnerability for CWE-288 Authentication bypass using an alternate path of channel. The POC for this vulnerability was recreated with ease and required minimal technical knowledge and resources. Given this, Huntress immediately released a post on this vulnerability and its potential impact. While Huntress strongly recommends immediately patching any ConnectWise software to version 23.9.8
Huntress
2024: Revisiting a Year in Threats | Huntress
blogs_huntress·CVSS 8.4
[HIGH] 2024: Revisiting a Year in Threats | Huntress
Before you pop the bubbly and count down to a new year, let’s reminisce for a moment. Looking back on the past 365 days, it was clear cybercriminals had no intention of slowing down. But neither did we. Our analysts worked tirelessly to help ensure our partners and our community could remain alert, informed, and protected. Here’s a snapshot of the milestones and lessons from 2024 that’ll guide us as we prepare for what lies ahead in 2025.
### ConnectWise ScreenConnect Vulnerabilities
The year came in with a fury. In February, critical vulnerabilities in ScreenConnect emerged, allowing attackers to bypass authentication with ease. Our team responded swiftly with in-depth research, detection guidance, a hotfix, and detailed analyses to keep our community informed about post-exploitation tr
Huntress
SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708) | Huntress
blogs_huntress·CVSS 8.4
CVE-2024-1709 [HIGH] SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708) | Huntress
Table of Contents:
- Adversaries Deploying Ransomware
- Adversaries Enumerating
- Adversary Cryptocurrency Miners
- Adversaries Installing Additional Remote Access
- Downloading Tools and Payloads
- Adversaries Dropping Cobalt Strike
- Adversaries Persisting
- Wrapping Up
- Appendix
Since February 19, Huntress has been sharing technical details of the ScreenConnect vulnerability we’re calling “SlashAndGrab.” In previous posts, we shared the details of this vulnerability, its exploit, and shared detection guidance.
In this article, we’ve collected and curated threat actor activity fresh from the Huntress Security Operations Center (SOC), where our team has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation tradecraft.
The adversaries taking
Huntress
Ten Years of Resilience, Innovation & Community-Driven Defense | Huntress
blogs_huntress·CVSS 8.8
[HIGH] Ten Years of Resilience, Innovation & Community-Driven Defense | Huntress
The world of cybersecurity has been a wild ride over the last decade. As attackers stepped up their game year over year, the security community responded and adapted with resilience and ingenuity to each new wave of threats.
Attackers tested our limits time and time again with bolder, more cutting-edge cyberattacks: ransomware, supply chain compromises, zero-day vulnerabilities, and more. But every single breach, compromise, and exploited vulnerability taught us something new, pushed us harder to innovate and stay steps ahead, brought our security community closer together, and rallied us to wreck hackers.
As we celebrate our 10th anniversary at Huntress this month, we’re pausing to look back at the events that have shaped the entire cybersecurity community. Understanding where we've bee
Sentinelone
Black Basta
blogs_sentinelone
Black Basta
# Black Basta Ransomware: In-Depth Analysis, Detection, and Mitigation
## Summary of Black Basta Ransomware
Black Basta first emerged in early 2022. The ransomware family is an evolution of the Hermes/Ryuk/Conti families. Black Basta was heavily advertised in underground cybercrime markets. Black Basta practices double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data. There are Windows and LInux variants of Black Basta ransomware. The group is responsible for hundreds of attacks against global targets of varying sectors.
February 2025 Update: Nearly a year’s worth of Black Basta chat logs have been released on Telegram, providing detailed insight into the groups operational workflow, reconnaissance activities, and specific userID and details o
Huntress
Huntress 24/7 Security Operations Center | Huntress
blogs_huntress·CVSS 8.4
[HIGH] Huntress 24/7 Security Operations Center | Huntress
24/7 Managed SOC Services & Monitoring
Whether an incident goes down at 3:00 p.m. or 3:00 a.m., the Huntress elite AI-assisted SOC team has your back with always-on SOC monitoring and rapid response.
People-Powered Threat Hunting
Automation alone won’t cut it against today’s hackers, and this is where our human security experts come in. The Huntress Security Operations Center (SOC) fills a critical gap in your security with a team of always-on, global badasses on your side. They investigate threats, analyze tradecraft, and shut down attackers 24/7—all so you don’t have to.
8 min
Industry-leading mean time to respond (MTTR)*
Threat experts
across the globe
98.8%
Customer support satisfaction score
False positive rate
across 4M endpoints
Confirmed high/critical incident reports sen
Huntress
SlashAndGrab: The ConnectWise ScreenConnect Vulnerability Explained | Huntress
blogs_huntress·CVSS 8.4
[HIGH] SlashAndGrab: The ConnectWise ScreenConnect Vulnerability Explained | Huntress
The “exploit” is trivial and embarrassingly easy.
These are words you never want to hear when talking about vulnerabilities in a widely used product, but that’s exactly how John Hammond, Principal Security Researcher at Huntress, described the ability to exploit the ConnectWise ScreenConnect vulnerabilities in the Huntress Team’s technical analysis. Then you see a headline in TechCrunch that reads, “‘I can’t sugarcoat it — this shit is bad,' said Huntress' CEO,” and you know this is not your everyday cybersecurity event.
## A Non-Technical Breakdown of the SlashAndGrab ScreenConnect Vulnerability
ConnectWise ScreenConnect is a popular software used to monitor and manage systems remotely. On February 19th, ConnectWise issued an advisory that all versions below 23.9.8 of their on-prem ver
Wiz
CVE-2025-14823 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-14823 [CRITICAL] CVE-2025-14823 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14823 :
ScreenConnect Server vulnerability analysis and mitigation
In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components.
Source : NVD
## 5.3
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 5.3
Affected Tec
Wiz
CVE-2026-3564 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-3564 [CRITICAL] CVE-2026-3564 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3564 :
ScreenConnect Server vulnerability analysis and mitigation
A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scenarios.
Source : NVD
## 9
Score
Published March 17, 2026
Severity CRITICAL
CNA Score 9.0
Affected Technologies
ScreenConnect Server
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:connectwise:screenconnect
Sources
NVD
Linux Severity CRITICAL Has Fix Added at: Mar 19, 2026
Windows Severity CRITICAL Has Fix Added at: Mar 19, 20
Zscaler
CISO Monthly Roundup, March 2024: Zscaler ThreatLabz 2024 AI Security Report, Tweaks infostealer, Windows/Android RATs, and XZ Utils and ConnectWise vulnerabilities | CXO Revolutionaries
blogs_zscaler
CISO Monthly Roundup, March 2024: Zscaler ThreatLabz 2024 AI Security Report, Tweaks infostealer, Windows/Android RATs, and XZ Utils and ConnectWise vulnerabilities | CXO Revolutionaries
## CISO Monthly Roundup, March 2024: Zscaler ThreatLabz 2024 AI Security Report, Tweaks infostealer, Windows/Android RATs, and XZ Utils and ConnectWise vulnerabilities
Deepen Desai
Contributor
Zscaler
## Apr 8, 2024
CISO Monthly Roundup, March 2024: Zscaler ThreatLabz 2024 AI Security Report, Tweaks infostealer, Windows/Android RATs, and XZ Utils and ConnectWise vulnerabilities
The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with executive insights on other cyber-related subjects. This month we released the Zscaler ThreatLabz 2024 AI Security Report, investigated Tweaks infostealer, analyzed Windows/Android RATs, and reviewed vulnerabilities in ConnectWise and XZ Utils.
## Zscaler ThreatLabz 2024 AI Security Report
ThreatLabz researchers
Huntress
Guide: How to Know if your ScreenConnect Server is Hacked | Huntress
blogs_huntress·CVSS 8.4
CVE-2024-1708 [HIGH] Guide: How to Know if your ScreenConnect Server is Hacked | Huntress
You’ve probably seen it by now, but there was a major ConnectWise ScreenConnect vulnerability (CVE-2024-1708 and CVE-2024-1709) – which we’re calling “SlashAndGrab” – that’s been shared across the cybersecurity community. Here’s what you need to know to keep yourself patched up.
The patched versions (23.9.8 or newer) are available from ConnectWise. Anything older should be patched immediately as it is considered vulnerable. Do NOT wait to deploy this update. ConnectWise has removed license restrictions, allowing partners no longer under maintenance to upgrade to the latest version.
## What Should You Watch Out For?
Work under the assumption that you’ve already been compromised. Even if you have already patched or you run other security solutions, no matter what version of ScreenConnect
Huntress
Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress
blogs_huntress·CVSS 8.4
[HIGH] Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress
On February 19, 2024, ConnectWise published a security advisory for ScreenConnect version 23.9.8, referencing two vulnerabilities and software weaknesses. The same day, Huntress researchers worked to understand this threat and successfully recreated a proof-of-concept exploit demonstrating its impact.
This write-up will discuss our analysis efforts and the technical details behind this attack, which we’re coining as “SlashAndGrab.”
The ConnectWise advisory indicated that in all versions of ScreenConnect below 23.9.8 there were two vulnerabilities:
1. CVE-2024-1709: Authentication bypass using an alternate path or channel (CWE-288)
2. CVE-2024-1708: Improper limitation of a pathname to a restricted directory (“path traversal”) (CWE-22)
The first vulnerability was disclosed with a critic
Huntress
Top 3 Cybersecurity Threats of 2024 (So Far) | Huntress
blogs_huntress·CVSS 10.0
[CRITICAL] Top 3 Cybersecurity Threats of 2024 (So Far) | Huntress
Cybersecurity is always full of surprises, and 2024 has been no exception. We’re only in October, and we’ve seen some severe curveballs come our way. Hackers have gotten dirtier than ever this year, as evidenced by three major threats that have kept us all on our toes:
- RMM abuse
- BYOVD attacks
- WebDAV abuse
Let’s break down this trifecta together, shall we? After all, we’re all in this together, and with the right insights and strategies, we can embrace a proactive approach that allows our organizations not only to survive but also empowers us all to thrive.
## Threat #1: RMM Abuse
One of the most prevalent and dangerous threats we’ve seen in 2024 is the abuse of remote monitoring and management (RMM) tools. Since January, the number of RMM tools used in cybersecurity incidents has
Huntress
CVE-2024-1708 (ScreenConnect Zip Slip) Vulnerability: Analysis & Detection | Huntress
blogs_huntress·CVSS 8.4
CVE-2024-1708 [HIGH] CVE-2024-1708 (ScreenConnect Zip Slip) Vulnerability: Analysis & Detection | Huntress
CVE-2024-1708 Vulnerability
Published:02/20/2026
Written by: Nadine Rozell
CVEs are Common Vulnerabilities and Exposures - unique identifiers assigned to publicly known cybersecurity vulnerabilities.
CVE-2024-1708 is a high-severity path traversal vulnerability in ConnectWise ScreenConnect (now ConnectWise Access). It is widely known as the second half of the devastating " SlashAndGrab " exploit chain.
While CVE-2024-1709 allows attackers to bypass authentication, CVE-2024-1708 is the mechanism that delivers the payload. It allows an attacker (or a compromised admin) to overwrite critical files on the server, leading to full Remote Code Execution (RCE).
This page breaks down the mechanics of this "Zip Slip" vulnerability, how it fueled massive ransomware campaigns, and how to ensure
Huntress
Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8 | Huntress
blogs_huntress·CVSS 8.4
CVE-2024-1709 [HIGH] Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8 | Huntress
UPDATE: Read our full analysis of CVE-2024-1709 & CVE-2024-1708 and detection guidance here.
UPDATE: We have proactively deployed a temporary hotfix to over 1000 vulnerable systems managed by Huntress. It's crucial people still update to the latest official version ASAP. During research and creation of a Proof-of-Concept exploit to validate the vulnerability, Huntress identified a way to temporarily hot-fix vulnerable systems while administrators work to patch their systems.
UPDATE: Detection guidance from Huntress has been issued.
Huntress security researchers successfully created and validated a proof-of-concept exploit for the vulnerabilities referenced to in the latest February 19 ConnectWise ScreenConnect advisory.
1. CWE-288 “Authentication bypass using an alternate path or chann
https://github.com/rapid7/metasploit-framework/pull/18870https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-pochttps://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypasshttps://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/https://github.com/rapid7/metasploit-framework/pull/18870https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-pochttps://techcrunch.com/2024/02/21/researchers-warn-high-risk-connectwise-flaw-under-attack-is-embarrassingly-easy-to-exploit/https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8https://www.horizon3.ai/attack-research/red-team/connectwise-screenconnect-auth-bypass-deep-dive/https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypasshttps://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2https://www.huntress.com/blog/vulnerability-reproduced-immediately-patch-screenconnect-23-9-8https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1709
2024-02-21
Published
2024-02-22
Added to CISA KEV
Exploited in the wild