ConnectWise ScreenConnect Hit by Critical Authentication Bypass Flaw (CVE-2026-1014), Active Exploitation Confirmed

Executive Summary

On February 9, 2026, ConnectWise released a security patch for its ScreenConnect remote access software, addressing two severe vulnerabilities. The most critical of these, CVE-2026-1014, is an authentication bypass with a CVSS score of 10.0, allowing attackers to create administrative accounts on unpatched servers. It can be chained with a second flaw, CVE-2026-1219, a path traversal vulnerability (CVSS 8.4), to achieve unauthenticated remote code execution (RCE).

Security firms, including Huntress, have confirmed active, in-the-wild exploitation of these vulnerabilities. Threat actors are leveraging the flaws to compromise servers, deploy malicious payloads, and establish persistence. Due to the widespread use of ScreenConnect by Managed Service Providers (MSPs), this vulnerability poses a significant supply chain risk, potentially giving attackers access to thousands of downstream customer networks. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1014 to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate remediation for federal agencies. All organizations using on-premise ScreenConnect versions 23.9.7 and older are urged to upgrade to version 23.9.8 or newer immediately or take their servers offline.

Vulnerability Details

The attack leverages a chain of two distinct vulnerabilities to achieve full system compromise.

CVE-2026-1014: Authentication Bypass (CVSS 10.0)

This critical vulnerability resides in the setup process of the ScreenConnect application. An attacker can bypass authentication checks by accessing a specific setup wizard URL (/SetupWizard.aspx) on an already-configured instance. This flaw allows the attacker to create a new user with full administrative privileges, effectively gaining complete control over the ScreenConnect server.

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• CVSS Score: 10.0 (Critical)

CVE-2026-1219: Path Traversal (CVSS 8.4)

This high-severity vulnerability allows an authenticated user to upload files to arbitrary locations on the server's filesystem. After gaining administrative access via CVE-2026-1014, an attacker can exploit this path traversal flaw to upload a malicious payload, such as a web shell or a malware dropper, into a web-accessible directory.

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: High (but obtained via CVE-2026-1014)
• User Interaction: None
• CVSS Score: 8.4 (High)

Attack Chain

1. The attacker identifies a vulnerable, internet-facing ScreenConnect server.
2. The attacker sends a crafted request to the /SetupWizard.aspx endpoint to exploit T1190 - Exploit Public-Facing Application (CVE-2026-1014).
3. The exploit creates a new administrative user account, giving the attacker T1078 - Valid Accounts.
4. The attacker logs in with the newly created account and uses the path traversal vulnerability (CVE-2026-1219) to upload a malicious file (e.g., malicious.aspx).
5. The file is typically placed in the App_Extensions/ directory, making it a persistent T1505.003 - Web Shell.
6. The attacker accesses the uploaded web shell via a browser to execute arbitrary commands on the server, achieving RCE.

Affected Systems

• Product: ConnectWise ScreenConnect
• Affected Versions: 23.9.7 and all prior versions.
• Deployment: On-premise servers are directly at risk. ConnectWise has stated that cloud instances hosted at screenconnect.com or hostedrmm.com have already been patched.

Exploitation Status

As of February 10, 2026, active exploitation is widespread. Security researchers at Huntress and other firms have observed threat actors scanning for and compromising vulnerable servers. CISA's inclusion of CVE-2026-1014 in the KEV catalog on February 10th confirms its status as an actively exploited threat. The ease of exploitation (low complexity, no user interaction) makes it a prime target for opportunistic and sophisticated attackers alike.

Impact Assessment

The impact of a successful exploit is severe. Attackers gain full administrative control over the ScreenConnect server, which can lead to:

• Complete System Compromise: Full remote code execution capabilities on the host server.
• Supply Chain Attack: Since MSPs use ScreenConnect to manage customer endpoints, a compromised server becomes a launchpad for attacks against all connected clients. This could involve deploying ransomware, spyware, or other malware across entire fleets of managed devices.
• Data Exfiltration: Attackers can access and exfiltrate sensitive data from the compromised server and potentially from connected endpoints.
• Persistence: The ability to create admin accounts and drop web shells allows for long-term, stealthy persistence within the network.

Given the function of ScreenConnect as a privileged remote access tool, these vulnerabilities represent a worst-case scenario for many organizations, particularly MSPs.

IOCs

While specific attacker IPs and hashes are dynamic, the following indicators are consistent with exploitation activity.

Cyber Observables for Detection

Security teams should hunt for the following activity patterns:

Detection & Response

• Log Analysis: Immediately review web server logs for any access to /SetupWizard.aspx. Any successful access (HTTP 200) should be treated as a compromise.
• User Account Review: Audit all user accounts within the ScreenConnect administrator portal. Investigate any recently created accounts that cannot be verified.
• File System Monitoring: Scan the C:\Program Files (x86)\ScreenConnect\App_Extensions\ directory for any suspicious or recently added files. A legitimate extension will be in a folder with a corresponding manifest file. A standalone .aspx file is highly suspicious. Reference D3FEND File Analysis techniques.
• Process Monitoring: Use an EDR solution to hunt for suspicious process chains originating from ScreenConnect.Service.exe. Baseline normal behavior and alert on deviations. Reference D3FEND Process Analysis.
• Network Traffic Analysis: Monitor for unusual outbound connections from the ScreenConnect server, which could indicate C2 communication or data exfiltration. Reference D3FEND Network Traffic Analysis.

If a compromise is suspected, isolate the server from the network immediately and begin incident response procedures.

Mitigation

• Patch Immediately: The primary mitigation is to upgrade all on-premise ScreenConnect instances to version 23.9.8 or later. This is the most critical action. This aligns with D3FEND Software Update.
• Take Systems Offline: If patching cannot be performed immediately, shut down the ScreenConnect server or use a firewall to block all inbound traffic to it until it can be patched.
• Restrict Access: As a compensating control, restrict access to the ScreenConnect web interface to only trusted IP addresses. While this reduces the attack surface, it does not eliminate the vulnerability and should not be considered a substitute for patching. This aligns with D3FEND Inbound Traffic Filtering.
• Assume Compromise: For any unpatched servers that were exposed to the internet, it is prudent to assume compromise. Conduct a thorough investigation for unauthorized user accounts, suspicious files, and anomalous network activity.
• Harden Configurations: Ensure that the ScreenConnect server is deployed according to security best practices, with minimal necessary services exposed to the internet. This aligns with D3FEND Application Configuration Hardening.