Intel Name: Screenconnect user database modification – security
Date of Scan: January 9, 2025
Impact: Medium
Summary: The “ScreenConnect User Database Modification – Security” detects changes to the temporary XML user database file, which may indicate local user modifications in the ScreenConnect server. This can occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions earlier than 23.9.8, but may also be seen during legitimate user or permission modifications. To detect such changes, an Advanced Auditing policy is needed to log successful Windows Event ID 4663 events, along with a SACL set on the directory.