RMM Tools as a Gateway: Security Checklist for ConnectWise, Kaseya, and Others

3 min Reading Time

RMM tools (Remote Monitoring and Management) have privileged access to all managed endpoints by design. This very feature makes them the preferred gateway for attackers. CrowdStrike’s 2024 Threat Hunting Report documents that RMM abuse grew by 70 percent year-over-year, accounting for 27 percent of all hands-on-keyboard intrusions. A compromised RMM server doesn’t mean one compromised customer – it means all customers at once.

TL;DR

🔒 RMM abuse surged by 70 percent. 27 percent of all hands-on-keyboard intrusions occur via RMM tools (CrowdStrike 2024).
⚠️ Kaseya VSA 2021: A zero-day vulnerability compromised 60 MSPs, affecting up to 1,500 companies, with a ransom demand of 70 million Euro.
🛡️ ConnectWise ScreenConnect CVE-2024-1709: CVSS 10.0, authentication bypass, trivially exploitable.
📊 59.4 percent of all ransomware incidents stem from external remote access/RMM tools (Arctic Wolf 2025).
🔧 CISA (Cybersecurity and Infrastructure Security Agency) and NSA (National Security Agency) recommend: Enforce MFA, network segmentation, allowlisting, and log all RMM sessions.

Why Attackers Love RMM Tools

RMM software is built for legitimate IT operations: deploying updates, monitoring systems, and resolving issues remotely. As a result, the RMM agent has admin rights on every managed endpoint by design, network access to all clients, and the ability to execute code. For an attacker, this is the perfect backdoor – already installed.

The second advantage: Legitimate software is far less likely to be flagged as malicious by security tools. When AnyDesk or ConnectWise ScreenConnect runs on a system, no EDR (Endpoint Detection and Response) raises an alarm. This is called “living off the land.” In January 2023, CISA, NSA, and MS-ISAC (Multi-State Information Sharing and Analysis Center) issued a joint advisory describing how attackers deliberately use RMM software for persistence and command-and-control without installing malware.

Sophos confirms: AnyDesk and PsExec appeared in more incidents than Cobalt Strike. At least 17 ransomware groups have been observed using AnyDesk, including REvil, Black Basta, and LockBit.

+70 %

RMM abuse (CrowdStrike)

27 %

of all intrusions via RMM

59,4 %

ransomware via remote access

Sources: CrowdStrike Threat Hunting Report 2024, Arctic Wolf 2025

Three Incidents That Illustrate the Risk

Kaseya VSA (July 2021). The REvil group exploited a zero-day vulnerability in Kaseya VSA, a widely used RMM platform for managed service providers (MSPs). Since VSA runs directly on the endpoints of all MSP customers, the attack had an immediate supply-chain impact: fewer than 60 MSPs were directly affected, but up to 1,500 downstream companies were compromised. The Swedish supermarket chain Coop had to close all 800 stores for nearly a week. REvil demanded 70 million Euro for a universal decryptor.

ConnectWise ScreenConnect (February 2024). CVE-2024-1709 received the maximum CVSS score of 10.0. The vulnerability was an authentication bypass: a simple HTTP request to the setup page allowed attackers to overwrite all existing admin accounts and gain remote code execution. Proof-of-concept and Metasploit modules were available immediately. All versions below 23.9.8 were affected.

SimpleHelp (2025). CISA is currently warning about ongoing exploitation of SimpleHelp vulnerabilities (CVE-2024-57727, path traversal) by ransomware actors. This shows: The risk isn’t historical – it’s acute.

“Attackers deliberately use RMM software for persistence and command-and-control without installing malware. Security tools are significantly less likely to detect legitimate software as malicious.”
CISA/NSA/MS-ISAC Joint Advisory AA23-025A, January 2023

Security Checklist for RMM Tools

The following measures are based on the CISA Guide to Securing Remote Access Software and the Joint Advisory AA23-025A.

1. Enforce MFA on every RMM account. Not just for admin access, but for any account that can control RMM sessions – including customer-facing services. Passkeys/FIDO2 where possible.

2. Network segmentation. Isolate RMM management interfaces behind a VPN or in a dedicated admin network. The RMM server must not be accessible from the internet. Implement a zero-trust architecture.

3. Allowlisting instead of blocklisting. Restrict RMM communication to known IP pairs. Only permit approved RMM programs on the network. Any unauthorized RMM tool is a potential attack vector.

4. Log and monitor all RMM sessions. Immediately flag unusual connection times, connections from unknown IP addresses, and unusual session durations. Huntress frequently finds “forgotten” RMM instances in customer networks.

5. Maintain and reduce RMM inventory. Inventory all installed RMM tools. Uninstall unused tools immediately. Huntress reports a 214 percent increase in RMM-related incidents since January 2024. Every unnecessary tool is an attack surface.

6. Vendor security assessment. Regularly evaluate RMM providers: patch frequency, incident response processes, and security certifications. After ConnectWise (CVSS 10.0) and SimpleHelp, supplier assessments are no longer optional.

CVSS 10.0

ConnectWise ScreenConnect CVE-2024-1709: maximum severity, trivially exploitable

Source: NVD, Unit 42, Huntress

Conclusion: The Biggest Risk Is the Tool Already Running

RMM tools aren’t an optional risk. They’re already running on endpoints. They already have admin rights. They’re already in the network. The question isn’t whether to secure RMM, but how quickly. CrowdStrike shows: More than a quarter of all hands-on attacks already use RMM tools as an entry point. Arctic Wolf documents: 59.4 percent of all ransomware incidents originate from external remote access. The CISA checklist above is the starting point. Today.

Frequently Asked Questions

Which RMM tools have been abused in attacks?

Documented cases include: ConnectWise ScreenConnect, Kaseya VSA, AnyDesk, TeamViewer, SimpleHelp, NinjaOne, and Datto RMM. At least 17 ransomware groups deliberately use AnyDesk. ConnectWise had a vulnerability with a CVSS score of 10.0 in 2024.

How can I detect RMM abuse in my network?

Inventory all installed RMM tools (including unauthorized ones). Monitor RMM sessions for unusual times, source IPs, and durations. Set up EDR rules to flag RMM processes starting outside business hours. CISA explicitly recommends allowlisting for RMM communication.

Should we eliminate RMM tools?

No. RMM is indispensable for IT operations. But it must be hardened: MFA, network segmentation, logging, and vendor assessments. An unsecured RMM tool is more dangerous than no RMM tool at all.

How does the Kaseya incident differ from a typical ransomware attack?

The supply-chain multiplier. Kaseya VSA runs as an agent on the endpoints of all MSP customers. A single compromised server didn’t affect one customer – it impacted up to 1,500 downstream companies simultaneously. This is the structural risk of any centralized management platform.