CISA Alerts on Active Exploitation of ConnectWise ScreenConnect Vulnerabilities

Severity: High (Score: 72.8)

Sources: nvd.nist.gov, www.huntress.com, Cybersecuritynews, Gbhackers

Summary

CISA has issued a warning regarding the exploitation of a critical vulnerability in ConnectWise ScreenConnect, tracked as CVE-2024-1708. This vulnerability, a path traversal flaw, allows attackers to execute remote code by overwriting critical files on the server. It is often exploited in conjunction with CVE-2024-1709, an authentication bypass vulnerability, enabling attackers to gain administrative access. Both vulnerabilities affect versions 23.9.7 and earlier of ScreenConnect. CISA added CVE-2024-1708 to its Known Exploited Vulnerabilities catalog on April 28, 2026, indicating active exploitation in the wild. Organizations using unpatched versions are at significant risk of compromise. The vulnerabilities have been linked to ongoing ransomware campaigns. Immediate action is recommended to secure affected systems. Key Points: • CVE-2024-1708 allows remote code execution via path traversal in ScreenConnect. • CISA added CVE-2024-1708 to its KEV catalog on April 28, 2026, due to active exploitation. • Both CVE-2024-1708 and CVE-2024-1709 affect versions 23.9.7 and earlier of ScreenConnect.

Key Entities

• Data Breach (attack_type)
• Malware (attack_type)
• Ransomware (attack_type)
• SlashAndGrab (campaign)
• ConnectWise (company)
• CVE-2024-1708 (cve)
• CVE-2024-1709 (cve)
• CWE-22 - Path Traversal (cwe)
• CWE-287 - Improper Authentication (cwe)
• AsyncRAT (malware)
• Cobalt Strike (malware)
• XWorm (malware)
• T1136.001 - Local Account (mitre_attack)
• T1505.003 - Web Shell (mitre_attack)
• ConnectWise ScreenConnect (tool)
• ScreenConnect (tool)
• IIS (platform)
• Windows (platform)
• Black Basta (ransomware_group)
• Lockbit (ransomware_group)
• Play (ransomware_group)
• Zip Slip (vulnerability)