Executive Summary
A high-severity path traversal vulnerability (CVE-2024-1708) in ConnectWise ScreenConnect has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. The flaw allows an attacker to execute remote code or directly impact confidential data and critical systems by bypassing path restrictions within the ScreenConnect file handling functionality.
CVE-2024-1708 was disclosed alongside CVE-2024-1709 (a critical authentication bypass), and the two are frequently chained together in attacks. Federal Civilian Executive Branch (FCEB) agencies are required to remediate per CISA's binding operational directive. All organizations running ScreenConnect on-premises should treat this as an urgent, high-priority patch.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-1708 |
| CVSS Score | 8.4 (High) |
| CWE | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) |
| Type | Path Traversal / Remote Code Execution |
| Attack Vector | Network |
| Privileges Required | Low |
| User Interaction | None |
| Vendor | ConnectWise |
| Product | ScreenConnect |
| Fixed Version | 23.9.8 and later |
| CISA KEV Added | April 28, 2026 |
| Exploitation Status | Actively exploited in the wild |
Affected Versions
| Product | Affected Versions | Action Required |
|---|---|---|
| ConnectWise ScreenConnect | All versions prior to 23.9.8 | Update immediately |
Technical Analysis
Root Cause
The vulnerability resides in ScreenConnect's file handling and upload functionality. User-supplied path components are not properly normalized or restricted to an allowed directory tree. By supplying path traversal sequences (e.g., ../../) in file paths, an attacker can:
- Write arbitrary files outside the intended directory
- Overwrite application configuration or code
- Achieve remote code execution in the context of the ScreenConnect service account
Attack Chain with CVE-2024-1709
CVE-2024-1708 is most dangerous when chained with CVE-2024-1709, an authentication bypass that allows an unauthenticated attacker to create a new administrative user account:
1. Attacker identifies a ScreenConnect instance reachable from the internet
2. CVE-2024-1709: Attacker bypasses authentication — creates rogue admin account
3. Authenticated as new admin, attacker exploits CVE-2024-1708
4. Crafts a path traversal payload in file upload or management endpoint
5. Writes a web shell or malicious file outside the ScreenConnect web root
6. Executes uploaded code — achieves full RCE on the ScreenConnect host
7. Post-exploitation: credential harvesting, lateral movement, ransomware stagingWhy This Is Dangerous
| Factor | Impact |
|---|---|
| Paired with auth bypass (CVE-2024-1709) | Effectively unauthenticated exploitation when chained |
| ScreenConnect is a remote access tool | Compromised server grants access to all managed endpoints |
| High install base | Thousands of on-premises ScreenConnect deployments internet-exposed |
| CISA KEV confirmed | Active exploitation is ongoing |
| Managed Service Providers (MSPs) targeted | Compromise of a single ScreenConnect server can pivot to thousands of client environments |
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Arbitrary code execution on the ScreenConnect server host |
| Full Endpoint Access | ScreenConnect agents allow control of all managed remote endpoints |
| Credential Theft | Access to stored ScreenConnect session credentials and client data |
| Lateral Movement | Compromised ScreenConnect instance used to pivot into all managed networks |
| Ransomware Staging | Multiple ransomware groups have leveraged this chain for initial access |
| Data Exfiltration | Access to files and configurations on the ScreenConnect server |
Immediate Remediation
Step 1: Upgrade ScreenConnect Immediately
Apply the security patch released by ConnectWise. The fixed version is 23.9.8:
# Check your current ScreenConnect version
# Navigate to Admin > About in the ScreenConnect web interface
# For cloud-hosted ScreenConnect (ScreenConnect.com):
# ConnectWise has already patched cloud instances — no action needed
# For on-premises installations:
# Download the latest installer from ConnectWise partner portal
# Stop the ScreenConnect service before upgrading
net stop ScreenConnect
# Run the installer to upgrade
# Restart and verify the new versionStep 2: Verify No Compromise Occurred
# Check for unexpected files in the ScreenConnect web root
# Default path (Windows): C:\Program Files (x86)\ScreenConnect\
dir "C:\Program Files (x86)\ScreenConnect\App_Extensions\" /s /b *.aspx
dir "C:\Program Files (x86)\ScreenConnect\App_Extensions\" /s /b *.ashx
dir "C:\Program Files (x86)\ScreenConnect\App_Extensions\" /s /b *.php
# Review Windows Event Logs for new admin account creation
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4720} | Select-Object TimeCreated, Message | Format-List
# Check for unauthorized ScreenConnect admin accounts
# Navigate to Admin > Users in the ScreenConnect web interfaceStep 3: Restrict Internet Exposure
If immediate patching is not possible:
# Block external access to ScreenConnect relay port (default 443/8040)
# via Windows Firewall or perimeter firewall until patched
New-NetFirewallRule -DisplayName "Block SC External" -Direction Inbound `
-LocalPort 443,8040 -Protocol TCP -Action Block `
-RemoteAddress "0.0.0.0/0" -Enabled TrueStep 4: Post-Patch Hardening
# After upgrading, review and tighten ScreenConnect access controls:
# 1. Enable two-factor authentication for all ScreenConnect admin accounts
# 2. Review the admin user list and remove any unrecognized accounts
# 3. Restrict the admin interface to known IP ranges if possible
# 4. Enable audit logging for all ScreenConnect admin actions
# 5. Rotate ScreenConnect service account credentialsDetection Indicators
| Indicator | Description |
|---|---|
Unexpected .aspx / .ashx files in App_Extensions | Web shell deployed post-exploitation |
| New admin account creation events (Windows Event ID 4720) | Potential CVE-2024-1709 exploitation |
| ScreenConnect admin logins from unknown IPs | Unauthorized access via rogue account |
| Outbound connections from the ScreenConnect server process | Reverse shell or C2 beaconing |
| Large data transfers from ScreenConnect host | Credential or data exfiltration |
| Remote PowerShell execution from ScreenConnect service | Post-exploitation command execution |
Post-Remediation Checklist
- Upgrade ConnectWise ScreenConnect to version 23.9.8 or later
- Audit the admin user list — remove any accounts not recognized by your team
- Reset all admin passwords after upgrading
- Scan the web root for unexpected
.aspx,.ashx, or other script files - Review Windows Security Event Log for Event ID 4720 (account creation) near the disclosure date
- Check all managed endpoints for signs of lateral movement from the ScreenConnect server
- Enable 2FA on all ScreenConnect administrator accounts
- Restrict the admin panel to known IP ranges or VPN access only
- Notify clients if you are an MSP — all managed environments should be assessed for post-compromise indicators
- Monitor for re-exploitation until upgrade is confirmed across all on-premises deployments