Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

ConnectWise ScreenConnect Path Traversal Vulnerability

IdentifiersCVE-2024-1708CWE-22· Improper Limitation of a Pathname…

CVE-2024-1708 is a path traversal vulnerability affecting ConnectWise ScreenConnect version 23.9.7 and earlier. Available reporting indicates the flaw is in the ScreenConnect extension handling mechanism and is widely described as a Zip Slip-style issue: a malicious ScreenConnect extension archive can be extracted with insufficient validation of traversal sequences, allowing files to be written outside the intended extension subdirectory. This can enable arbitrary file writes to attacker-chosen locations on the ScreenConnect server. Multiple sources in the provided content state that exploitation can lead to remote code execution and direct impact to confidential data and critical systems. The vulnerability has also been described as the second half of the "SlashAndGrab" exploit chain and has been observed chained with CVE-2024-1709, the ScreenConnect authentication bypass flaw, to obtain the access needed for exploitation.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow arbitrary file write outside the intended extension directory, which can be leveraged for remote code execution on the ScreenConnect server, including by writing server-executable files such as ASPX/ASHX webshells or other payloads. It can also enable unauthorized modification of server files, compromise of confidential data, and broader impact to critical systems reachable through the remote support platform. Because ScreenConnect is a remote access product that commonly operates with elevated trust and broad administrative reach, compromise can provide a high-value foothold for follow-on actions including persistence, lateral movement, data theft, and ransomware deployment. The vulnerability is documented in the provided content as actively exploited in the wild and included in CISA KEV.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, isolate or discontinue vulnerable on-premises ScreenConnect instances as recommended in the provided CISA-related reporting. Restrict exposure of the ScreenConnect server, especially internet-facing access, and closely monitor for unusual administrative behavior, unexpected remote connections, unauthorized file access, and suspicious file creation under ScreenConnect App_Extensions, particularly ASPX and ASHX files. Review extension installation activity, remove untrusted extensions, and hunt for indicators of compromise such as webshells in /App_Extensions/. Follow vendor hardening guidance and applicable BOD 22-01 guidance where relevant.

Remediation

Patch, then assume compromise.

Upgrade ConnectWise ScreenConnect to version 23.9.8 or later. The provided content specifically references ConnectWise security bulletin 23.9.8 as the fix and repeatedly states that versions 23.9.7 and earlier are affected. For cloud-hosted ScreenConnect controllers, ConnectWise applied patches according to the provided reporting; for on-premises deployments, administrators should update immediately. If there is evidence of exploitation, do not rely on patching alone: rebuild the affected ScreenConnect server from a known clean backup and investigate for persistence artifacts such as unauthorized admin accounts, abnormal session history, and webshells under App_Extensions or related paths.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ConnectwiseScreenconnectapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

59 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

59 SOURCESView more in app
handlers diary fullNews
May 4, 2026
TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03)

A path traversal vulnerability in ConnectWise ScreenConnect that CISA added to the KEV catalog and that the content states was exploited by Kimsuky.

Read more
scworldNews
Apr 30, 2026
CISA adds ConnectWise, Microsoft flaws to KEV catalog | news | SC Media

A path traversal vulnerability in ConnectWise ScreenConnect that can allow a malicious extension to write files outside its intended directory and achieve remote code execution, especially when chained with CVE-2024-1709.

Read more
cyber security newsNews
Apr 30, 2026
CISA Warns of ConnectWise ScreenConnect Vulnerability Exploited in Attacks

A severe ConnectWise ScreenConnect path traversal vulnerability that can enable remote code execution and compromise of affected environments; CISA added it to the KEV catalog due to active exploitation.

Read more
the hacker newsNews
Apr 29, 2026
CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV

A path traversal vulnerability in ConnectWise ScreenConnect that can enable remote code execution or direct impact to confidential data and critical systems.

Read more
+21 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence6

Every observed campaign linking this CVE to a named adversary.

Associated malware7

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity30

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-1708
NVD
nvd.nist.gov/vuln/detail/CVE-2024-1708
MITRE CWE · CWE-22
Improper Limitation of a Pathname to a…
Vendor Advisory
connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
Third Party Advisory
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1708
Third Party Advisory
huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
Technical Description
microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations