Cyber Resilience

CVE-2024-1708

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 21 February 2024

Published
21 February 2024
Modified
28 April 2026
KEV Added
28 April 2026
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.8481 99.4th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-1708 is a high-severity Path Traversal (CWE-22) vulnerability in Connectwise Screenconnect. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

ConnectWise ScreenConnect versions 23.9.7 and earlier contain a path-traversal vulnerability tracked as CVE-2024-1708 and assigned CWE-22. The flaw received a CVSS 3.1 score of 8.4 and can permit an attacker to execute remote code or directly affect confidential data and critical systems.

An attacker with network access and high privileges can leverage the path traversal to reach sensitive resources on the server. Successful exploitation grants the ability to run arbitrary code or exfiltrate and manipulate data without further user interaction beyond the required high-privilege session.

The vendor ConnectWise released version 23.9.8 to address the issue, as detailed in its security bulletin. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity. Its EPSS score has reached a peak of 0.8624 with a current value of 0.8481, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

CWE(s)
KEV Date Added
28 April 2026

Related Threats

Threat-Actor AttributionAI

STORM-1175aka Medusa
Microsoft reports STORM-1175 conducting high-tempo Medusa ransomware operations exploiting vulnerable ScreenConnect instances (CVE-2024-1708).

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

CVE-2024-1708 path traversal in ConnectWise ScreenConnect enables remote code execution, especially chained with CVE-2024-1709 auth bypass, facilitating exploitation of public-facing applications (T1190) and remote services (T1210).

Affected Assets

connectwise
screenconnect
≤ 23.9.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (23.9.8) that eliminates the path-traversal flaw being actively exploited.

prevent

Enforces validation of file-path inputs to reject traversal sequences such as ../ that enable the CVE-2024-1708 attack.

prevent

Limits the high-privilege credentials required by the vulnerability, reducing the attacker's ability to reach or exploit the flaw.

References