A path traversal flaw in ConnectWise ScreenConnect 23.9.7 and earlier allows authenticated attackers to execute remote code or directly impact confidential data and critical systems, and CISA has confirmed active exploitation tied to known ransomware campaigns.
What Is It
CVE-2024-1708 is a path traversal vulnerability (CWE-22) in ConnectWise ScreenConnect, the widely deployed remote access and support platform. According to the NVD, the flaw permits an attacker to traverse outside intended directory boundaries, opening the door to remote code execution or direct manipulation of sensitive data and underlying systems.
The CVSS 3.1 base score is 8.4 (HIGH), with the vector AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H, network-reachable, low complexity, but requiring high privileges and user interaction. The scope is changed, and confidentiality, integrity, and availability impacts are all rated High.
Why It Matters
CISA added CVE-2024-1708 to the Known Exploited Vulnerabilities catalog on 2026-04-28, and the entry explicitly flags known ransomware campaign use. Microsoft's reference advisory ties exploitation of vulnerable web-facing assets, including ScreenConnect, to Storm-1175's high-tempo Medusa ransomware operations. ScreenConnect's role as a remote management tool makes a compromised instance an unusually strong pivot point: attackers inherit the same reach into managed endpoints that legitimate operators use.
What's Vulnerable
- Product: ConnectWise ScreenConnect
- Affected versions: All versions prior to 23.9.8 (
cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:*, versionEndExcluding23.9.8) - Weakness: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
Patch Status
ConnectWise has released ScreenConnect 23.9.8, which addresses the vulnerability. CISA's required action is to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The federal remediation due date is 2026-05-12. Given confirmed ransomware exploitation, operators of self-hosted ScreenConnect instances, particularly internet-facing ones, should treat patching as urgent.