CISA adds ScreenConnect exploit

Remote access software is supposed to be the tool admins use to fix problems. But when that software breaks, it becomes a ready-made path into everything else. That is why CISA’s April 28 move matters. The agency added ConnectWise ScreenConnect vulnerability CVE-2024-1708 to its Known Exploited Vulnerabilities catalog, which is the government’s shorthand for: this is not theoretical anymore. (cisa.gov) ### What exactly did CISA add? The entry was for CVE-2024-1708, a ScreenConnect path-traversal bug. In plain English, that means an attacker can reach files or functions they should not be able to touch, and in this case the impact can go all the way to remote code execution and direct compromise of sensitive systems. CISA set a May 12 remedia(cisa.gov)forces urgent patching once active exploitation is confirmed. (cisa.gov) ### Why is ScreenConnect such a big deal? Because ScreenConnect sits in a privileged spot. It is remote support and remote monitoring software — basically the kind of tool that already has deep access to endpoints, servers, and admin workflows. If an attacker gets control of that layer, they are not breaking in through a side window. They are (cisa.gov)at once. That is why ScreenConnect bugs have drawn so much attention from defenders and ransomware crews. (cisa.gov) ### Isn’t CVE-2024-1708 old news? Yes — and that is part of the story. This flaw blew up in early 2024, and ConnectWise pushed fixes then. But CISA adding it to KEV in late April 2026 means the bug is still showing up in real intrusions, either because some on-prem systems stayed unpatched or because exposed instances are still easy to find an(cisa.gov). (cisa.gov) ### What is ConnectWise telling customers now? ConnectWise has also been hardening ScreenConnect in newer releases. In March 2026 it published a separate bulletin for ScreenConnect 26.1 covering server-level cryptographic material, with CVE-2026-3564 affecting versions before 26.1 and a recommendation to upgrade on-prem installations as soon a(cisa.gov)e broader picture — this product family is still security-sensitive enough that admins need to pay attention to version drift, not just one headline CVE. (connectwise.com) ### Where does the Linux bug fit in? The second issue is different but related in practice. The newly disclosed Linux kernel flaw CVE-2026-31431 — nicknamed “Copy Fail” — is a local privilege-escalation bug, not a remote entry bug. Theori’s writeup, summarized by The Register, says an unprivileged user (connectwise.com)ncept is tiny, works across many distributions since 2017, and could also help with container escape because the page cache is shared with the host. (theregister.com) ### Why do these two bugs matter together? Because attackers chain bugs. A remote-access flaw like ScreenConnect gets the first foothold. A local Linux escalation bug turns that foothold into root. The catch is that CVE-2026-31431 is not remotely exploitable by itself, but once an attacker lands on a box — through web RCE, stol(theregister.com)e the damage ceiling. (theregister.com) ### Who should worry first? On-prem ScreenConnect operators should. So should MSPs, shared-hosting environments, CI systems, and container-heavy Linux estates. Cloud customers may have less direct patching work for ScreenConnect itself, but any self-managed remote admin stack or Linux host handling untrusted workloads deserves (theregister.com)things attackers are already using first. (connectwise.com) ### Bottom line? The news is not just that one old ScreenConnect bug is back on the urgent list. It is that remote-management software and Linux privilege escalation still combine into a very familiar attack path — get in fast, then climb to root. If you run ScreenConnect on-prem, patch and audit exposu(connectwise.com) both halves. (cisa.gov)