NVD - CVE-2024-1708 (original) (raw)
ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
CNA: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
This CVE is in CISA's Known Exploited Vulnerabilities Catalog
Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.
| Vulnerability Name | Date Added | Due Date | Required Action |
|---|---|---|---|
| ConnectWise ScreenConnect Path Traversal Vulnerability | 04/28/2026 | 05/12/2026 | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | NIST Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government |
Known Affected Software Configurations Switch to CPE 2.2
Change History
10 change records found show changes
CVE Modified by CISA-ADP 6/17/2026 3:04:50 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | SSVC | {"timestamp":"2024-02-21T00:00:00+00:00","id":"CVE-2024-1708","options":[{"exploitation":"active"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"} |
CVE Modified by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 6/17/2026 3:04:50 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Affected | [{"vendor":"ConnectWise","product":"ScreenConnect","defaultStatus":"unaffected","versions":[{"version":"0","lessThanOrEqual":"23.9.7 ","versionType":"custom","status":"affected","changes":[{"at":"23.9.8","status":"unaffected"}]}]}] |
Modified Analysis by NIST 4/28/2026 5:44:53 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference Type | CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2024-1708 Types: Third Party Advisory, US Government Resource | |
| Added | Reference Type | CISA-ADP: https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/ Types: Technical Description |
CVE Modified by CISA-ADP 4/28/2026 3:23:08 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2024-1708 | |
| Added | Reference | https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/ |
CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 4/28/2026 3:00:05 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Date Added | 2026-04-28 | |
| Added | Due Date | 2026-05-12 | |
| Added | Required Action | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | |
| Added | Vulnerability Name | ConnectWise ScreenConnect Path Traversal Vulnerability |
CVE Modified by CVE 11/21/2024 3:51:08 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 | |
| Added | Reference | https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass |
CVE Modified by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 5/14/2024 10:48:40 AM
| Action | Type | Old Value | New Value |
|---|
Initial Analysis by NIST 2/22/2024 10:19:39 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 | NIST AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H | |
| Added | CWE | NIST CWE-22 | |
| Added | CPE Configuration | OR *cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:* versions up to (excluding) 23.9.8 | |
| Changed | Reference Type | https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 No Types Assigned | https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 Vendor Advisory |
| Changed | Reference Type | https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass No Types Assigned | https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass Exploit, Third Party Advisory |
CVE Modified by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 2/21/2024 2:15:08 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass [No types assigned] |
New CVE Received from Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 2/21/2024 11:15:50 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. | |
| Added | CVSS V3.1 | Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H | |
| Added | CWE | Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government CWE-22 | |
| Added | Reference | Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 [No types assigned] |