CISA adds ConnectWise ScreenConnect path‑traversal bug (CVE‑2024‑1708) to Known Exploited Vulnerabilities catalog

Remote-support software is supposed to be the thing admins use to fix problems fast. But when the remote-support tool is the problem, the blast radius gets ugly fast. That is the setup here. On April 28, 2026, CISA added ConnectWise ScreenConnect flaw CVE-2024-1708 to the Known Exploited Vulnerabilities catalog, which is the federal government’s short list of bugs already being abused in the wild. (cisa.gov) ### What is ScreenConnect, exactly? ScreenConnect is remote access and remote support software. MSPs, IT teams, and help desks use it to reach into other machines, control them, move files, and do admin work without being physically present. That convenience is the whole point — and also the risk. If an attacker gets into the tool, the attacker can inherit the same kind of reach an admin has. (connectwise.com) ### What is CVE-2024-1708? CVE-2024-1708 is a path-traversal vulnerability in ScreenConnect 23.9.7 and earlier. Path traversal basically means a program can be tricked into reaching files or locations it was not supposed to touch. In this case, CISA’s KEV entry and the NVD description both tie the bug to remote code execution or dir(connectwise.com) category. (cisa.gov) ### Why does KEV status matter so much? KEV is not a generic watchlist. CISA adds bugs when there is evidence of active exploitation. For federal civilian agencies, that triggers a deadline under Binding Operational Directive 22-01. For everyone else, it is still a strong signal that this is not theoretical anymore. The due date attached to this entry is May 12, 2026. (c([cisa.gov)## Didn’t this bug surface back in 2024? Yes — and that is the part that makes this update notable. ConnectWise published its ScreenConnect 23.9.8 security fix on February 19, 2024, and said cloud instances were remediated while on-prem customers needed to upgrade immediately. But CISA’s KEV catalog did not list CVE-2024-1708 until April 28, 2026. That gap suggests eithe(cisa.gov)catalog entry itself is the important change now. (connectwise.com) ### What should defenders look at first? Version number, hosting model, and internet exposure. ConnectWise says cloud partners were remediated, while on-prem deployments needed patching. The fixed baseline from the 2024 bulletin was 23.9.8 or later for maintained customers, with 22.4.20001 offered as an interim option for some off-m(connectwise.com)ted as urgent. (connectwise.com) ### Why is path traversal such a nasty class? Because it can look simple but unlock much bigger outcomes. Think of it like finding a side door into a building that was designed around a locked front desk. The bug itself is “just” bad file access logic, but once that side door opens inside a remote-admin product, attackers can chain (connectwise.com) Secure by Design alert about directory traversal flaws. (nvd.nist.gov) ### So what changed today? The big change is prioritization. CVE-2024-1708 is no longer just an old severe ScreenConnect bug with a patch. It is now an officially tracked, actively exploited vulnerability with a federal remediation clock attached. That pushes it back to the top of patch queues, especially anywhere ScreenConnect is self-hosted. (cisa.gov)n on-prem ScreenConnect and have not verified your version lately, do that now. This is the kind of bug attackers revisit because remote-management tools give them exactly what they want — trusted access, broad control, and a fast path deeper into a network. (cisa.gov)