CISA warns that ConnectWise ScreenConnect flaw is now exploited in attacks
4 min. read 
Published on
CISA has added CVE-2024-1708, a ConnectWise ScreenConnect path traversal vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The warning matters because ScreenConnect is a remote access tool, and compromised instances can give attackers a direct route into business networks.
The agency added the flaw to the KEV catalog on April 28, 2026. Federal Civilian Executive Branch agencies must apply mitigations by May 12, 2026, but private companies should treat that date as a practical deadline too.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
CVE-2024-1708 affects ScreenConnect 23.9.7 and earlier. ConnectWise fixed the issue in February 2024, with version 23.9.8 listed as the minimum release that remediated the reported vulnerabilities.
At a glance
| Item | Details |
|---|---|
| Vulnerability | CVE-2024-1708 |
| Product | ConnectWise ScreenConnect |
| Flaw type | Path traversal, CWE-22 |
| Severity | High, CVSS 8.4 |
| Affected versions | ScreenConnect 23.9.7 and earlier |
| Minimum patched version | ScreenConnect 23.9.8 |
| CISA deadline | May 12, 2026 |
Why this ScreenConnect flaw is serious
ScreenConnect is widely used by IT teams and managed service providers to access systems remotely. That makes it useful for legitimate administration, but it also makes exposed and unpatched servers valuable targets for attackers.
A path traversal vulnerability allows attackers to manipulate file paths and reach areas of a server that should stay restricted. In this case, CVE-2024-1708 may allow remote code execution or direct impact to confidential data and critical systems.
The risk increases because ScreenConnect often sits close to sensitive systems. Once attackers gain access to a remote support platform, they can use that access to move deeper into the network, create accounts, deploy tools, steal credentials, or prepare a ransomware attack.
What CISA wants organizations to do
CISA’s required action is direct: apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or stop using the product if mitigations are unavailable.
ConnectWise has also urged on-premises customers to upgrade immediately. Cloud partners using screenconnect.com and hostedrmm.com were already remediated against the vulnerabilities reported in February 2024, according to the vendor.
Organizations running self-hosted ScreenConnect servers should not stop at patching. ConnectWise also recommends checking systems for signs of compromise, especially if the server stayed exposed before the update.
Recommended actions for administrators
- Upgrade self-hosted ScreenConnect servers to a supported patched version.
- Confirm that no instance remains on ScreenConnect 23.9.7 or earlier.
- Review server logs, Windows event logs, and EDR alerts for suspicious activity.
- Look for unexpected users, suspicious extensions, web shell activity, or unusual remote sessions.
- Restrict internet exposure where possible and limit administrative access.
- Rotate credentials if compromise is suspected.
- Bring in incident response support if suspicious files or commands appear.
Ransomware risk remains high
CISA’s KEV listing confirms active exploitation, which means the flaw is no longer theoretical. Attackers are using it in real environments.
Microsoft has also linked exploitation of ScreenConnect flaws, including CVE-2024-1708 and CVE-2024-1709, to Storm-1175 activity. Microsoft says the financially motivated actor has used exposed systems to move quickly toward data theft and Medusa ransomware deployment.
This does not mean every CVE-2024-1708 incident leads to ransomware. However, remote access tools remain attractive to ransomware operators because they can provide trusted access paths into business networks.
Why older flaws still create new problems
CVE-2024-1708 was patched in 2024, but CISA’s 2026 KEV update shows that old vulnerabilities remain dangerous when organizations delay updates. Attackers often scan for internet-facing services and look for systems that missed patches months or years earlier.
This pattern creates a long risk window. A company may think an old advisory no longer matters, while attackers still find exposed systems running vulnerable versions.
For security teams, the lesson is simple. Asset inventory, patch verification, and exposure management matter as much as the patch itself. A fix only helps when every affected system actually receives it.
FAQ
CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect. It affects ScreenConnect 23.9.7 and earlier and may allow remote code execution or impact sensitive systems.
Yes. CISA added the flaw to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation.
ConnectWise lists ScreenConnect 23.9.8 as the minimum version that remediated the reported vulnerabilities. Administrators should upgrade to the latest supported release where possible.
Federal Civilian Executive Branch agencies must patch or mitigate by May 12, 2026. Private organizations should also use that date as an urgent remediation target.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages