CVE-2024-1708

Analyzed
Published: 21 Feb 2024, 15:29
Last modified:29 Apr 2026, 03:55

Vulnerability Summary

Overall Risk (default)
high
61/100
CVSS Score
8.4 HIGH
v3.1 (cve.org)
EPSS Score
87.62% CRITICAL
88% probability +35.50%
KEV
Listed
CISA
1 listing
Ransomware
Known Use
Public exploits
2 found
Dark Web
Not detected

Timeline

21 Feb 2024, 15:29
Published
Vulnerability first disclosed
28 Apr 2026, 00:00
Added to CISA KEV
ConnectWise ScreenConnect Path Traversal Vulnerability
29 Apr 2026, 03:55
Last Modified
Vulnerability information updated
12 May 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

CVSS Metrics

  • v3.1HIGHScore: 8.4CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 87.62% Percentile: 100%

Techniques & Countermeasures

  • CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

  • UnknownScreenConnect

    < 23.9.8 | ≤ 23.9.7

References (4)