Patch Now: Critical ScreenConnect Auth Bypass (CVSS 10.0) Under Active Attack

ConnectWise ScreenConnect Hit by Critical Authentication Bypass Flaw (CVE-2026-1014), Active Exploitation Confirmed

CRITICAL
February 10, 2026
6m read
VulnerabilityCyberattackPatch Management

Related Entities

Products & Tech

ScreenConnect

CVE Identifiers

CVE-2026-1014
CRITICAL
CVSS:10
CVEDetails.com CVE.org
CVE-2026-1219
HIGH
CVSS:8.4
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1133Initial Access

External Remote Services

T1078Defense Evasion

Valid Accounts

T1505.003Persistence

Web Shell

T1059.001Execution

PowerShell

T1059.003Execution

Windows Command Shell

Full Report

Executive Summary

On February 9, 2026, ConnectWise released a security patch for its ScreenConnect remote access software, addressing two severe vulnerabilities. The most critical of these, CVE-2026-1014, is an authentication bypass with a CVSS score of 10.0, allowing attackers to create administrative accounts on unpatched servers. It can be chained with a second flaw, CVE-2026-1219, a path traversal vulnerability (CVSS 8.4), to achieve unauthenticated remote code execution (RCE).

Security firms, including Huntress, have confirmed active, in-the-wild exploitation of these vulnerabilities. Threat actors are leveraging the flaws to compromise servers, deploy malicious payloads, and establish persistence. Due to the widespread use of ScreenConnect by Managed Service Providers (MSPs), this vulnerability poses a significant supply chain risk, potentially giving attackers access to thousands of downstream customer networks. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1014 to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate remediation for federal agencies. All organizations using on-premise ScreenConnect versions 23.9.7 and older are urged to upgrade to version 23.9.8 or newer immediately or take their servers offline.

Vulnerability Details

The attack leverages a chain of two distinct vulnerabilities to achieve full system compromise.

CVE-2026-1014: Authentication Bypass (CVSS 10.0)

This critical vulnerability resides in the setup process of the ScreenConnect application. An attacker can bypass authentication checks by accessing a specific setup wizard URL (/SetupWizard.aspx) on an already-configured instance. This flaw allows the attacker to create a new user with full administrative privileges, effectively gaining complete control over the ScreenConnect server.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • CVSS Score: 10.0 (Critical)

CVE-2026-1219: Path Traversal (CVSS 8.4)

This high-severity vulnerability allows an authenticated user to upload files to arbitrary locations on the server's filesystem. After gaining administrative access via CVE-2026-1014, an attacker can exploit this path traversal flaw to upload a malicious payload, such as a web shell or a malware dropper, into a web-accessible directory.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High (but obtained via CVE-2026-1014)
  • User Interaction: None
  • CVSS Score: 8.4 (High)

Attack Chain

  1. The attacker identifies a vulnerable, internet-facing ScreenConnect server.
  2. The attacker sends a crafted request to the /SetupWizard.aspx endpoint to exploit T1190 - Exploit Public-Facing Application (CVE-2026-1014).
  3. The exploit creates a new administrative user account, giving the attacker T1078 - Valid Accounts.
  4. The attacker logs in with the newly created account and uses the path traversal vulnerability (CVE-2026-1219) to upload a malicious file (e.g., malicious.aspx).
  5. The file is typically placed in the App_Extensions/ directory, making it a persistent T1505.003 - Web Shell.
  6. The attacker accesses the uploaded web shell via a browser to execute arbitrary commands on the server, achieving RCE.

Affected Systems

  • Product: ConnectWise ScreenConnect
  • Affected Versions: 23.9.7 and all prior versions.
  • Deployment: On-premise servers are directly at risk. ConnectWise has stated that cloud instances hosted at screenconnect.com or hostedrmm.com have already been patched.

Exploitation Status

As of February 10, 2026, active exploitation is widespread. Security researchers at Huntress and other firms have observed threat actors scanning for and compromising vulnerable servers. CISA's inclusion of CVE-2026-1014 in the KEV catalog on February 10th confirms its status as an actively exploited threat. The ease of exploitation (low complexity, no user interaction) makes it a prime target for opportunistic and sophisticated attackers alike.

Impact Assessment

The impact of a successful exploit is severe. Attackers gain full administrative control over the ScreenConnect server, which can lead to:

  • Complete System Compromise: Full remote code execution capabilities on the host server.
  • Supply Chain Attack: Since MSPs use ScreenConnect to manage customer endpoints, a compromised server becomes a launchpad for attacks against all connected clients. This could involve deploying ransomware, spyware, or other malware across entire fleets of managed devices.
  • Data Exfiltration: Attackers can access and exfiltrate sensitive data from the compromised server and potentially from connected endpoints.
  • Persistence: The ability to create admin accounts and drop web shells allows for long-term, stealthy persistence within the network.

Given the function of ScreenConnect as a privileged remote access tool, these vulnerabilities represent a worst-case scenario for many organizations, particularly MSPs.

IOCs

While specific attacker IPs and hashes are dynamic, the following indicators are consistent with exploitation activity.

Type Value Description
File Path C:\Program Files (x86)\ScreenConnect\App_Extensions\[Random_GUID]\ The directory where attackers are observed dropping malicious payloads (web shells) via CVE-2026-1219. The GUID is unique per extension.

Cyber Observables for Detection

Security teams should hunt for the following activity patterns:

Type Value Description Context Confidence
url_pattern /SetupWizard.aspx An HTTP GET or POST request to this endpoint on a production server is a strong indicator of an exploitation attempt for CVE-2026-1014. Web server access logs, WAF logs, network traffic analysis. high
file_path C:\Program Files (x86)\ScreenConnect\App_Extensions\ Monitor this directory for the creation of new files, especially .aspx, .ashx, .dll, or .exe files. File Integrity Monitoring (FIM), EDR file creation events. high
process_name ScreenConnect.Service.exe Monitor this process for spawning anomalous child processes, such as cmd.exe, powershell.exe, or certutil.exe. EDR telemetry, Windows Security Event Log ID 4688. medium
log_source ScreenConnect Web Server Logs The primary source for detecting exploitation attempts against the web interface. Look for 200 OK responses to /SetupWizard.aspx. SIEM, Log Management Platform. high
command_line_pattern powershell.exe -e Base64-encoded PowerShell commands spawned by the ScreenConnect service are a common post-exploitation technique. EDR telemetry, PowerShell script block logging (Event ID 4104). medium

Detection & Response

  • Log Analysis: Immediately review web server logs for any access to /SetupWizard.aspx. Any successful access (HTTP 200) should be treated as a compromise.
  • User Account Review: Audit all user accounts within the ScreenConnect administrator portal. Investigate any recently created accounts that cannot be verified.
  • File System Monitoring: Scan the C:\Program Files (x86)\ScreenConnect\App_Extensions\ directory for any suspicious or recently added files. A legitimate extension will be in a folder with a corresponding manifest file. A standalone .aspx file is highly suspicious. Reference D3FEND File Analysis techniques.
  • Process Monitoring: Use an EDR solution to hunt for suspicious process chains originating from ScreenConnect.Service.exe. Baseline normal behavior and alert on deviations. Reference D3FEND Process Analysis.
  • Network Traffic Analysis: Monitor for unusual outbound connections from the ScreenConnect server, which could indicate C2 communication or data exfiltration. Reference D3FEND Network Traffic Analysis.

If a compromise is suspected, isolate the server from the network immediately and begin incident response procedures.

Mitigation

  • Patch Immediately: The primary mitigation is to upgrade all on-premise ScreenConnect instances to version 23.9.8 or later. This is the most critical action. This aligns with D3FEND Software Update.
  • Take Systems Offline: If patching cannot be performed immediately, shut down the ScreenConnect server or use a firewall to block all inbound traffic to it until it can be patched.
  • Restrict Access: As a compensating control, restrict access to the ScreenConnect web interface to only trusted IP addresses. While this reduces the attack surface, it does not eliminate the vulnerability and should not be considered a substitute for patching. This aligns with D3FEND Inbound Traffic Filtering.
  • Assume Compromise: For any unpatched servers that were exposed to the internet, it is prudent to assume compromise. Conduct a thorough investigation for unauthorized user accounts, suspicious files, and anomalous network activity.
  • Harden Configurations: Ensure that the ScreenConnect server is deployed according to security best practices, with minimal necessary services exposed to the internet. This aligns with D3FEND Application Configuration Hardening.

Timeline of Events

1
February 9, 2026
ConnectWise releases ScreenConnect version 23.9.8 to patch CVE-2026-1014 and CVE-2026-1219.
2
February 10, 2026
CISA adds CVE-2026-1014 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation.
3
February 10, 2026
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The primary and most effective mitigation is to apply the security patch provided by ConnectWise immediately.

Mapped D3FEND Techniques:

D3-SU

Filter Network Traffic

M1037enterprise

Restrict network access to the ScreenConnect web interface to only trusted IP addresses as a temporary compensating control.

Mapped D3FEND Techniques:

D3-NI

Limit Access to Resource Over Network

M1035enterprise

If the server cannot be patched, isolate it from the internet entirely by blocking all inbound traffic at the network perimeter.

Mapped D3FEND Techniques:

D3-NI

Behavior Prevention on Endpoint

M1040enterprise

Use EDR or similar tools to monitor for anomalous behavior originating from the ScreenConnect process, such as spawning command shells.

Mapped D3FEND Techniques:

D3-RAPA

Audit

M1047enterprise

Regularly audit web server logs, file systems, and user accounts for signs of compromise.

Mapped D3FEND Techniques:

D3-SFAD3-LAM

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The most critical and effective defense is to immediately apply the security patch from ConnectWise. All on-premise ScreenConnect instances must be upgraded to version 23.9.8 or a later version. This action directly remediates both the CVE-2026-1014 authentication bypass and the CVE-2026-1219 path traversal vulnerabilities, closing the attack vector entirely. Prioritize internet-facing servers for this update. Create a snapshot or backup of the server before applying the update as a rollback precaution. After patching, verify the version number in the ScreenConnect web interface to confirm the update was successful. Do not consider any other mitigation a permanent substitute for patching. This is a time-sensitive action, as automated exploitation is widespread.

Inbound Traffic Filtering

D3-ITFMaps to MITREM1037
D3FEND

As a temporary, compensating control until patching can be completed, implement strict inbound traffic filtering at your network perimeter firewall. Create rules that only allow access to the ScreenConnect web interface (typically TCP port 8040 and/or 443) from known, trusted IP addresses, such as corporate VPN gateways or specific administrative subnets. Deny all other inbound traffic to this service from the internet. This drastically reduces the attack surface by preventing unknown external attackers from reaching the vulnerable endpoint. While this is a valuable short-term measure, it is not foolproof, as an attacker could potentially compromise a trusted source. This should only be used to buy time for patching, not as a long-term solution.

Process Analysis

D3-PAMaps to MITREM1049
D3FEND

For detection and hunting, deploy and configure an Endpoint Detection and Response (EDR) solution to monitor process lineage on the ScreenConnect server. Specifically, create detection rules that alert on the ScreenConnect.Service.exe process spawning suspicious child processes. Normal operation should not involve this service launching cmd.exe, powershell.exe, certutil.exe, or other living-off-the-land binaries. Establishing a baseline of normal process activity for the ScreenConnect service is key. An alert on an anomalous child process is a high-confidence indicator of post-exploitation activity and should trigger an immediate incident response investigation. Ensure process creation logging (Windows Event ID 4688) is enabled and forwarded to a SIEM for analysis.

File Analysis

D3-FAMaps to MITREM1021
D3FEND

Implement File Integrity Monitoring (FIM) on the ScreenConnect server, focusing on the application's installation directories. The primary target for monitoring is the C:\Program Files (x86)\ScreenConnect\App_Extensions\ directory. Attackers are known to drop web shells and other payloads in this location by exploiting CVE-2026-1219. Configure FIM or an EDR tool to generate high-priority alerts for any new file creation events within this directory, particularly for file types like .aspx, .ashx, .dll, and .exe. A newly created file in this directory that is not part of a legitimate, vendor-signed extension installation should be treated as a high-confidence indicator of compromise. Immediately quarantine the file and the server for forensic analysis.

Sources & References

ConnectWise urges admins to patch critical ScreenConnect RCE flaw
BleepingComputer (bleepingcomputer.com) February 9, 2026
Critical ScreenConnect Vulnerability Under Active Attack, CISA Warns
The Hacker News (thehackernews.com) February 10, 2026
A Critical Vulnerability in ConnectWise ScreenConnect (23.9.8)
Huntress (huntress.com) February 9, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

ScreenConnectConnectWiseAuthentication BypassPath TraversalRCECVE-2026-1014CVE-2026-1219MSPRemote AccessKEV

📢 Share This Article

Help others stay informed about cybersecurity threats