ConnectWise ScreenConnect exploited in the wild (CVE-2024-1708)

Actively exploited in the wild - CVE-2024-1708 is a high-severity path traversal vulnerability in ConnectWise ScreenConnect 23.9.7 and prior that lets an authenticated attacker execute remote code or access sensitive data. With a 53.7% EPSS score and CISA KEV confirmation, patch to version 23.9.8 or later immediately.

Overview

CVE-2024-1708 is a path-traversal flaw in ConnectWise ScreenConnect (formerly ConnectWise Control) versions 23.9.7 and earlier. By manipulating file paths, an authenticated attacker with high privileges can escape restricted directories and access files outside the intended scope. This can lead to remote code execution (RCE) or direct exposure of confidential data and critical system files.

The vulnerability carries a CVSS score of 8.4 (HIGH) with a network attack vector and low attack complexity. While it requires authentication and user interaction, the low complexity and confirmed active exploitation make it an urgent threat for any organization running affected versions.

Impact on Affected Systems

• Remote Code Execution - An attacker who exploits the path traversal can execute arbitrary commands on the ScreenConnect server, potentially gaining full control.
• Data Exposure - Confidential data stored on the server, including session tokens, credentials, or customer information, may be read and exfiltrated.
• Lateral Movement - With RCE or data access, attackers can pivot to other systems within the same network environment.

Remediation and Mitigation

ConnectWise has released ScreenConnect version 23.9.8, which patches CVE-2024-1708. All organizations should update immediately:

• Upgrade to ScreenConnect 23.9.8 or later from the official vendor portal.
• If immediate patching is not possible, restrict network access to the ScreenConnect server to trusted IP ranges only.
• Review authentication logs for unusual access patterns, especially from accounts with high privileges.
• Monitor for signs of post-exploitation activity such as unexpected file writes or process launches.

Given the CISA KEV listing and high EPSS score (53.7% probability in the next 30 days), treat this as a critical-priority patch.

Security Insight

CVE-2024-1708 reflects a recurring pattern in remote access and management software: path traversal bugs in file-handling logic often become high-value targets because these tools inherently have broad system access. ConnectWise ScreenConnect, like many remote-support platforms, is a prime target for cybercriminals and ransomware groups seeking initial access. The high EPSS score indicates that exploit development has matured quickly, meaning defenders have little time to react. This incident reinforces the need for vendors to treat file-path validation in administrative interfaces as a security-critical design requirement, not just a quality-of-life fix.

For more details on recent data breaches and ransomware incidents leveraging remote access tools, see our breach reports and security news.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs