ConnectWise ScreenConnect is a popular remote access software used by many organizations globally.

ConnectWise ScreenConnect 23.9.7 and prior versions are impacted by the following 2 vulnerabilities with CVSS base scores of 8.4 HIGH and 10.0 CRITICALrespectively.

Is ArcSight portfolio impacted?

No. This software is not being used by ArcSight portfolio. As part of our ongoing efforts to provide comprehensive cyber resilience for ArcSight customers to detect these and similar global cyber threats, we are publishing this detection analytics package.

How can ConnectWise ScreenConnect customers mitigate this risk?

For more details, please visit the relevant page on ConnectWise’s website:

Why is this Important and Urgent?

The reasons outlined below contribute to the criticality and urgency of this global topic:

  • There appears to be thousands of instances of ConnectWise ScreenConnect exposed to the public internet.
  • ConnectWise confirms ScreenConnect flaw under active exploitation.
  • Security experts describe exploitation of CVE-2024-1709 as “trivial and embarrassingly easy.”
  • This attack further enables Threat Actors to deliver a variety of different payloads into business environments.

Detailed Technical Description of the Vulnerabilities:

Recently, two critical security issues have emerged, shaking the foundations of ScreenConnect servers. Assigned the identifiers CVE-2024-1708 and CVE-2024-1709, these vulnerabilities have been assessed by the vendor as an authentication bypass of maximum severity and a path traversal flaw with high severity, affecting ScreenConnect servers version 23.9.7 and earlier.

CVE-2024-1708: ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

CVE-2024-1709: ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.

Detection and Monitoring of this threat:

ArcSight analytics package will use a combination of the following to detect the exploitation attempts.

1) We will use the following IP addresses, which were used by threat actors to exploit these vulnerabilities:


2) Furthermore, we will use CVE numbers to understand the existence of these vulnerabilities in the customers’ environments.

We will keep on updating this page with more information and further detection techniques.

To install this package on ArcSight ESM:
The zip file contains three files: package arb file, the signature of arb file and readme.

OpenText provides a digital public key to enable you to verify that the signed software is indeed from Open Text and has not been manipulated in any way by a third party. Visit the following site for information and instructions:

Perform the following steps in the ArcSight Console:
1. Go to the ArcSight Console.
2. Click on Packages
3. Click Import
4. Select arb from the zip file
5. Follow the prompt to import and install this package

To uninstall this package on ArcSight ESM:

Perform the following steps in the ArcSight Console:
1. Go to the ArcSight Console.
2. Select the Package
3. Right-Click on the package and select uninstall.
4. Follow the prompts and uninstall the package.

Rules Special Configurations and Requirements
Please make sure that rules are enabled

Rules Included:
Critical ConnectWise ScreenConnect Vulnerability Detected
Possible Exploit of ConnectWise ScreenConnect Vulnerability

Minimum Requirements

System Requirements
ArcSight ESM 7.2 or above

Suggested apps

Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.


ScreenConnect Critical Bug Detection 1.0
4.6 KB
Feb 23, 2024
More info Less info
Product compatibility
Version 7.2 · 7.3 · 7.4 · 7.5 · 7.6 · 7.7 · 7.8
Release notes

This release contains a package containining resources to monitor ConnectWise ScreenConnect Vulnerability (CVE-2024-1709 - Authentication Bypass, CVE-2024-1708 - Path Traversal).


Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the OpenText Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.

Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2024-4-1-6117 | Wed Apr 10 01:16:06 PDT 2024