On 19 February 2024, ConnectWise disclosed two critical vulnerabilities in ScreenConnect — an on-premises remote access tool used by managed service providers (MSPs) and IT teams globally. CVE-2024-1709 (CVSS 10.0) was an authentication bypass that allowed unauthenticated attackers to create admin accounts on ScreenConnect servers; CVE-2024-1708 was a path traversal that enabled code execution. ConnectWise released patches and published an advisory simultaneously. Within hours, multiple threat actors including ransomware groups began mass exploitation of on-premises ScreenConnect servers that had not yet been patched. CISA published Advisory AA24-057A on 27 February urging immediate patching. The exploitation was particularly severe because ScreenConnect is used by MSPs to manage thousands of client endpoints — a single compromised ScreenConnect server could provide attackers with access to all of that MSP’s clients simultaneously. Confirmed exploitation included: LockBit ransomware affiliates deploying ransomware through compromised ScreenConnect instances; the Bl00dy ransomware group targeting the education sector; and multiple nation-state adjacent actors. Huntress researchers estimated over 1,600 internet-exposed ScreenConnect servers were exploitable at time of disclosure. The vulnerabilities were used to deploy remote access trojans, conduct credential theft, and deliver ransomware across numerous victim organisations. The incident was comparable in MSP supply chain risk to the 2021 Kaseya VSA attack. Cloud-hosted ConnectWise ScreenConnect instances were automatically patched, but on-premises deployments required manual updates.