CVE-2024-1708

Analyzed
Published: 21 Feb 2024, 15:29
Last modified:29 Apr 2026, 03:55

Vulnerability Summary

Overall Risk (default)
high
54/100
CVSS Score
8.4 HIGH
v3.1 (cve.org)
EPSS Score
53.66% CRITICAL
54% probability +1.53%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected

Timeline

21 Feb 2024, 15:29
Published
Vulnerability first disclosed
28 Apr 2026, 00:00
Added to CISA KEV
ConnectWise ScreenConnect Path Traversal Vulnerability
29 Apr 2026, 03:55
Last Modified
Vulnerability information updated
12 May 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

CVSS Metrics

  • v3.1HIGHScore: 8.4CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 53.66% Percentile: 98%

Techniques & Countermeasures

  • CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

  • connectwisescreenconnect

    < 23.9.8 | ≤ 23.9.7

References (4)