Path traversal in ConnectWise ScreenConnect (CVE-2024-1708) — remote code execution, ransomware use confirmed
ConnectWise ScreenConnect, a remote-management (RMM) / remote-support tool, has a path-traversal vulnerability that could let an attacker execute remote code or directly impact confidential data and critical systems. CISA listed it as known-exploited (KEV) with confirmed ransomware use (CVSS 8.4 High).
Key facts
- CVE IDCVE-2024-1708
- CVSS base score8.4 HIGH
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
- Affected (vendor / product)ConnectWise ScreenConnect
- CWECWE-22
- ExploitationListed in CISA KEV (exploitation confirmed); also confirmed used in ransomware
- Remediation due2026-05-12 (U.S. federal civilian agencies, BOD 22-01)
Key points
- Path traversal (CWE-22) in ConnectWise ScreenConnect (an RMM tool that remotely manages many endpoints)
- Can lead to remote code execution (RCE) or direct impact on confidential data and critical systems
- RMM compromise = a "lever" to push malware to many managed endpoints at once
- Listed in CISA KEV = exploitation confirmed; ransomware use also confirmed (CVSS 8.4 High)
- Response: update to a fixed version (internet-exposed servers first), hunt for compromise, check endpoints
CVE-2024-1708 is a path-traversal vulnerability (CWE-22: improper limitation of a pathname) in ConnectWise ScreenConnect (an RMM — Remote Monitoring and Management — tool used by IT administrators and MSPs to remotely manage and support many endpoints). It is listed in CISA's KEV catalog, with ransomware use confirmed.
Per NVD, an attacker could exploit it to execute remote code (RCE) or directly impact confidential data and critical systems. RMM tools are dangerous precisely because, by nature, they hold powerful privileges to remotely operate the many endpoints under their management. If a ScreenConnect server is compromised, an attacker can use it as a base to push malware to many managed endpoints at once. Indeed, this vulnerability is known to have been widely exploited in ransomware attacks after disclosure (CISA also confirms ransomware use).
RMM run at the perimeter or as SaaS can be a "lever" that amplifies damage in a supply-chain-like fashion.
Key response: update to a fixed version per ConnectWise's official instructions (internet-exposed servers first). For cloud use, follow BOD 22-01. Investigating signs of compromise (suspicious connections or deployments) and checking managed endpoints are also recommended. The federal civilian remediation deadline was May 12, 2026.
Why it matters
A case where compromising an RMM (remote-management) tool directly enables a simultaneous attack on many managed endpoints, and was abused by ransomware. MSPs and IT teams should prioritize prompt RMM updates, minimized exposure, and compromise hunting. It shows the risk of supply-chain-like damage amplification.
FAQ
What is an RMM tool?
Why is it targeted by ransomware?
What should I do?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).