CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV

CISA Flags ConnectWise ScreenConnect and Windows Flaws as Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling that both flaws are being actively weaponized in real-world attacks. The additions affect ConnectWise ScreenConnect and Microsoft Windows, and federal agencies under the Federal Civilian Executive Branch (FCEB) are required to remediate both vulnerabilities by the binding deadline set by CISA's Binding Operational Directive (BOD) 22-01.

CISA's KEV catalog serves as an authoritative signal for the broader security community — when a vulnerability enters the KEV list, it means threat actors have confirmed the exploit works and are using it in campaigns. Private sector organizations are strongly encouraged to treat KEV additions as highest-priority patches regardless of their CVSS score.

The Two Vulnerabilities

CVE-2024-1708 — ConnectWise ScreenConnect Path Traversal

CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect that allows an attacker to navigate outside the intended directory tree and write or access files on the underlying system. When chained with CVE-2024-1709 (an authentication bypass flaw in the same product), the combination results in unauthenticated remote code execution — one of the most dangerous vulnerability profiles possible.

ConnectWise ScreenConnect is a widely deployed remote access and remote support tool, particularly prevalent among Managed Service Providers (MSPs). Attackers who compromise an MSP's ScreenConnect instance gain a potential pivot into all of that MSP's managed client environments, making this an extremely high-value target for ransomware operators and nation-state actors.

Microsoft Windows Flaw

CISA also added a Microsoft Windows vulnerability to the KEV catalog based on evidence of active exploitation. Windows vulnerabilities regularly appear in the KEV catalog given the operating system's universal deployment across enterprise and government environments. Organizations should cross-reference CISA's KEV entry against Microsoft's security advisory to identify the specific component affected and apply the relevant Windows Update or patch.

Why CISA KEV Additions Matter

The KEV Catalog as a Patching Priority Signal

CISA's KEV catalog was established under Binding Operational Directive 22-01 in 2021. Since then, it has grown to encompass thousands of vulnerabilities that have confirmed, real-world exploitation. The catalog serves three functions:

1. Binding requirement for federal agencies — FCEB agencies must patch KEV entries by specified deadlines or formally accept risk
2. Priority signal for private sector — CISA strongly urges all organizations to use the KEV catalog to guide patching prioritization
3. Intelligence sharing — each KEV entry is backed by threat intelligence confirming active exploitation

Historical data shows that KEV-listed vulnerabilities are disproportionately used in:

• Ransomware initial access campaigns
• Nation-state espionage operations
• Commodity malware distribution
• Mass-exploitation scanning campaigns

ConnectWise ScreenConnect: High-Value Attack Target

ConnectWise ScreenConnect occupies a unique position in the threat landscape because of its role as remote access infrastructure. Unlike a typical enterprise application vulnerability, a compromised ScreenConnect deployment gives attackers:

• Persistent, legitimate-looking remote access to all enrolled endpoints
• Trusted administrative privileges on managed systems
• A pre-built channel to deliver payloads without triggering standard security controls
• Access to client environments if the compromised instance belongs to an MSP

Multiple ransomware groups — including LockBit, BlackCat/ALPHV, and Scattered Spider — have historically used compromised remote access tools as their primary means of spreading ransomware across enterprise networks after initial access.

Patching Timeline and Deadlines

Federal Agencies (FCEB)

Federal agencies are required to remediate both vulnerabilities per the BOD 22-01 mandate. CISA publishes specific deadline dates in the KEV catalog. Agencies that cannot meet the deadline must formally report to CISA and document an accepted risk position.

Recommended Private Sector Patching Timeline

Remediation Guidance

ConnectWise ScreenConnect (CVE-2024-1708)

# Verify current ScreenConnect version via the admin console:
# Admin > About — compare against fixed version 23.9.8
 
# For on-premises deployments — download the latest release
# from the ConnectWise partner portal and run the installer
 
# Post-patch: audit admin user accounts for unauthorized additions
# Post-patch: scan web root for unexpected script files
# Post-patch: review Windows Security Event Log for new account creation

Microsoft Windows

# Check for pending Windows updates
Get-WindowsUpdate -MicrosoftUpdate
 
# Install all available security updates
Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot
 
# Verify patch installed by checking Windows Update history
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
 
# For enterprise environments — deploy via WSUS/MECM/Intune:
# Ensure KEV-related patches are in the highest-priority update ring

Threat Actor Context

Who Is Exploiting These Vulnerabilities?

CISA does not always attribute KEV-listed exploitation to specific threat actors, but based on public threat intelligence:

ConnectWise ScreenConnect (CVE-2024-1708 / CVE-2024-1709 chain):

• Ransomware affiliates have been the primary exploiters, using ScreenConnect as a persistence and lateral movement mechanism
• Initial exploitation campaigns were observed shortly after the original 2024 disclosure, targeting internet-exposed ScreenConnect instances
• MSPs remain the highest-risk organizations given the downstream client exposure

Windows vulnerabilities in active exploitation:

• Windows flaws appearing in the KEV catalog are typically exploited by a range of actors including ransomware operators (for privilege escalation post-initial access), nation-state APTs (for persistence), and commodity malware droppers

Mapping to MITRE ATT&CK

Key Takeaways

• CISA added CVE-2024-1708 (ConnectWise ScreenConnect) and a Microsoft Windows flaw to the KEV catalog, confirming active exploitation
• Federal agencies must patch both vulnerabilities by CISA's mandated deadline under BOD 22-01
• ConnectWise ScreenConnect is a high-value target — MSPs and enterprises using on-premises deployments must upgrade to version 23.9.8 immediately
• The Windows flaw should be addressed via the standard Windows Update or enterprise patch management process
• All organizations should use the CISA KEV catalog as a live priority signal for vulnerability management, not just a compliance checklist
• Post-patching, audit both systems for indicators of prior compromise

Sources

• CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV — The Hacker News
• CISA Known Exploited Vulnerabilities Catalog