CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

Background

ConnectWise ScreenConnect (formerly Control) is a remote monitoring and management (RMM) tool used extensively by managed service providers (MSPs) and IT departments to provide remote support, access, and management to client endpoints. With deployments in tens of thousands of MSP environments, ScreenConnect has direct privileged access to client systems by design — making it an extraordinarily attractive attack vector.

CVE-2024-1708 is a path traversal vulnerability that, when chained with CVE-2024-1709 (an authentication bypass in the same product, CVSS 10.0), enables unauthenticated remote code execution. While both CVEs were disclosed in February 2024, CVE-2024-1708 remains in CISA’s KEV catalogue due to continued active exploitation — particularly in ransomware campaigns where attackers use MSPs as conduits to reach the MSP’s client base.

The MSP attack vector is especially dangerous: a single ScreenConnect server compromise gives attackers access to every client system that MSP manages, potentially affecting hundreds of organisations through a single initial foothold.

Technical Mechanism

CVE-2024-1708 is a path traversal vulnerability in ScreenConnect’s file restoration/extension upload functionality. The affected endpoint accepts file uploads destined for specific directories on the ScreenConnect server. The filename parameter is not adequately sanitised before being used to construct the filesystem path.

An attacker can supply a filename containing directory traversal sequences such as ../../ that cause the uploaded file to be written to an arbitrary location outside the intended directory. When combined with CVE-2024-1709 (which bypasses the authentication check on the setup endpoint), the attack becomes fully unauthenticated:

1. CVE-2024-1709: An authentication bypass in the ScreenConnect setup wizard allows the attacker to trigger the setup process as if the server is unconfigured, creating an administrative user.
2. CVE-2024-1708: Using the newly created admin session, the attacker uploads a web shell to the ScreenConnect web application directory using path traversal, placing it where it will be served by the web server.
3. The web shell provides persistent, authenticated RCE in the context of the ScreenConnect service account.

The ScreenConnect service typically runs under a service account with sufficient privileges to read configuration files (including client connection credentials), execute commands on managed endpoints via the ScreenConnect protocol, and modify service configurations.

Real-World Exploitation Evidence

CVE-2024-1708/1709 are among the most heavily exploited vulnerabilities in 2024, and active exploitation continued well into 2026. The combination achieved near-immediate exploitation after disclosure — multiple threat intelligence sources documented exploitation within hours of the February 2024 advisory.

Major confirmed exploitation campaigns:

• LockBit ransomware affiliates: Multiple LockBit affiliates incorporated ScreenConnect exploitation into their toolkit, using MSP access to conduct multi-victim ransomware deployments. CISA, FBI, and ACSC issued a joint advisory specifically addressing this threat.
• Black Basta ransomware: Confirmed deployment via compromised ScreenConnect servers, with attacks targeting healthcare, manufacturing, and financial services sectors.
• Scattered Spider: The social engineering-focused group added ScreenConnect exploitation to their toolkit for initial access in enterprise environments.

The reason these CVEs remain in active exploitation two years after disclosure: a substantial number of self-hosted ScreenConnect deployments remain unpatched, and MSPs with weak patch management processes are specifically targeted.

Impact Assessment

The ScreenConnect attack surface is uniquely dangerous due to the MSP architecture:

• Multi-organisation blast radius: MSPs use a single ScreenConnect server to manage hundreds of client organisations. One exploit grants access to all managed endpoints.
• Trusted agent: ScreenConnect agents on client systems accept commands from the server by design. No additional exploitation needed to run commands on client machines.
• Ransomware delivery vector: Attackers can deploy ransomware to every managed endpoint simultaneously, executing multi-victim extortion from a single initial access.
• Credential harvesting at scale: Client credentials, domain admin accounts, and infrastructure access credentials accessible through ScreenConnect sessions.
• Lateral movement automation: The RMM’s mass command execution feature, intended for legitimate patch deployment, becomes a ransomware delivery mechanism.

For organisations managed by an MSP, the risk is entirely outside their control — it depends on the MSP’s patching hygiene.

Affected Versions

Cloud-hosted ScreenConnect instances (ScreenConnect.com) were patched by ConnectWise within hours of disclosure. Only self-hosted (on-premises) instances require manual updating.

Remediation Steps

For on-premises ScreenConnect deployments:

1. Upgrade to 23.9.8 or later: Download from the ConnectWise partner portal. The update process replaces the application binaries; follow ConnectWise’s upgrade guide for your deployment type (Windows Service / Linux / Docker).

2. Verify patch application: After upgrade, navigate to Administration > General Information and confirm the version number. Test that the setup wizard endpoint (/SetupWizard.aspx) returns a 404 or redirect rather than the setup UI.

3. Check for web shells: Immediately after patching, scan the ScreenConnect installation directory (default C:\Program Files (x86)\ScreenConnect\ on Windows, /opt/screenconnect/ on Linux) for unexpected .aspx, .ashx, or .php files.

4. Review extension directory: Check the App_Extensions directory for any extensions not installed by your team.

5. Rotate all ScreenConnect credentials: Reset the admin password and rotate any API keys configured in ScreenConnect.

6. For MSPs: Notify client organisations of the potential exposure and conduct threat hunting across managed endpoints for indicators of compromise.

If patching is not immediately possible: Restrict access to the ScreenConnect web interface to known MSP IP ranges at the firewall level, eliminating internet exposure.

Detection Guidance

Indicators of compromise on ScreenConnect servers:

• Unexpected .aspx files in the web application directory (especially App_Extensions/ or App_Web_*/)
• Web server logs showing POST requests to /SetupWizard.aspx from external IPs
• Processes spawned by the ScreenConnect service account that are not typical ScreenConnect operations (cmd.exe, powershell.exe with encoded commands, curl/wget with external URLs)
• New user accounts in ScreenConnect’s user database

Splunk/SIEM query: index=iis source="*ScreenConnect*" (uri="*SetupWizard*" OR uri="*..%2F*" OR uri="*../*") method=POST | stats count by src_ip, uri, status

CISA, FBI, and ASD’s ACSC have published joint IOC lists and detection guidance at cisa.gov/alerts-advisories.

Timeline