This vulnerability allows an attacker to bypass the string comparison of the request path and access the setup wizard ("/SetupWizard.aspx") even on already-configured ScreenConnect instances. By exploiting this vulnerability and gaining access to the setup wizard, an attacker can create an administrative user and upload a malicious ScreenConnect extension to achieve remote code execution (RCE) on the ScreenConnect server. The vulnerable version of the ScreenConnect program is version 23.9.7 and earlier.
CVE Link
Exploit Platform
Exploit Type
Product Name