CVE-2024-1708

CVE-2024-1708 is a high-severity vulnerability in Connectwise Screenconnect with a CVSS 3.x base score of 8.4. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-04-28). The underlying weakness is classified as CWE-22.

Key facts

Description

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal (CWE-22)

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2024-1708
Vendor / Product ConnectWise / ScreenConnect
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS 3.1 8.4 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
EPSS 0.87624 (99.7th percentile)
KEV Listed (added 2026-04-28)
CISA KEV Catalog Entry

Summary

CVE-2024-1708 is a path-traversal flaw in ConnectWise ScreenConnect versions 23.9.7 and earlier. The vulnerability allows an attacker to manipulate file paths, potentially leading to remote code execution or direct impact on confidential data and critical systems. The issue has been actively exploited in the wild and carries a high EPSS probability score.

Background

ConnectWise ScreenConnect is a widely deployed remote support and access solution used by managed service providers (MSPs) and internal IT teams. Because it is internet-facing and privileged by design, vulnerabilities in this product are high-value targets for threat actors seeking initial access to downstream customer environments.

Root Cause

The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal). The application fails to adequately sanitize user-supplied path inputs, allowing directory traversal sequences that can reach files outside the intended restricted directory. This weakness in input validation can be abused to read, write, or execute files in unexpected locations on the host file system.

Impact

The CVSS 3.1 vector scores this flaw at 8.4 (High) with the following metric breakdown:

  • Attack Vector (AV): Network — exploitable remotely.
  • Attack Complexity (AC): Low — no special conditions required.
  • Privileges Required (PR): High — attacker must have high-level privileges.
  • User Interaction (UI): Required — action from a privileged user is needed.
  • Scope (S): Changed — the vulnerable component impacts resources beyond its security scope.
  • Confidentiality (C): High — total loss of confidentiality.
  • Integrity (I): High — total loss of integrity.
  • Availability (A): High — total loss of availability.

In practical terms, successful exploitation can lead to full system compromise of the ScreenConnect server and pivoting into managed endpoints.

Exploitation Walkthrough (Defensive Analysis)

This section is provided for defensive awareness only. Do not use the following information to attack systems without explicit authorization.

  1. Reconnaissance: Identify internet-facing ScreenConnect instances.
  2. Authentication: The attacker must first obtain high-privilege credentials (e.g., administrative access).
  3. Path Traversal Abuse: Through an authenticated endpoint, the attacker submits path traversal sequences (e.g., ../ or encoded equivalents) to access or write files outside the intended web/root directory.
  4. Result: Depending on the endpoint and file system permissions, this may lead to arbitrary file read, file upload, or code execution on the host.

Ethics Note: Active exploitation of this vulnerability has been observed by threat actors including those affiliated with ransomware operations. Defenders should treat any exposed, unpatched ScreenConnect instance as a high-risk asset.

Affected and Patched Versions

  • Affected: ConnectWise ScreenConnect 23.9.7 and prior (CPE cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:*).
  • Patched: The vendor's security bulletin (see References) references version 23.9.8. Administrators should verify the latest vendor guidance for the definitive fixed release.

Remediation

  1. Upgrade Immediately: Apply the vendor-supplied patch or upgrade to the fixed version as indicated in the ConnectWise security bulletin.
  2. Compensating Controls:
    • Restrict network access to ScreenConnect administration interfaces to trusted IP ranges or VPN only.
    • Enable MFA for all ScreenConnect accounts, especially administrative roles.
    • Review and prune unnecessary admin accounts.
    • Monitor file system and web root directories for unexpected modifications.
  3. Post-Incident: If exploitation is suspected, rotate all credentials, review access logs, and hunt for persistence mechanisms on the ScreenConnect host and any managed endpoints.

Detection

  • Monitor web/application logs for traversal patterns (../, %2e%2e%2f, %252e%252e%252f, etc.) in authenticated requests.
  • Alert on unexpected file writes or reads outside the application's expected directories.
  • Correlate ScreenConnect access logs with CISA KEV and threat-intelligence feeds for known exploitation indicators.

Assessment

With an EPSS score of 0.87624 (99.7th percentile) and confirmed KEV listing, this vulnerability is one of the highest-probability, actively exploited flaws in the current threat landscape. The high EPSS reflects that exploitation is not merely theoretical but occurring at scale. The EU vulnerability database also flags this as actively exploited (EUVD-2024-17442).

Key Lessons:

  1. Input validation is non-negotiable for internet-facing admin tools: Path traversal remains a top-tier attack primitive because it is simple to exploit and often grants high-impact outcomes.
  2. KEV + EPSS together should drive prioritization: Even when CVSS requires high privileges (PR:H), the scope change and real-world exploitation mean this should be patched before many lower-EPSS 10.0 CVSS issues.

References

Frequently asked questions

What is CVE-2024-1708?
ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.
How severe is CVE-2024-1708?
CVE-2024-1708 has a CVSS 3.x base score of 8.4, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-1708 being actively exploited?
Yes. CVE-2024-1708 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-04-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-1708?
CVE-2024-1708 affects Connectwise Screenconnect. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-1708?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-1708 have an EU (EUVD) identifier?
Yes. CVE-2024-1708 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-17442. It is also flagged as exploited in the EUVD (since 2026-04-28).
When was CVE-2024-1708 published?
CVE-2024-1708 was published on 2024-02-21 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Connectwise Screenconnect

All CVEs affecting Connectwise Screenconnect →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →