# CISA Alerts on Critical ConnectWise and Windows Vulnerabilities Being Actively Exploited in the Wild
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally added two high-severity vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling that threat actors are actively weaponizing these flaws in targeted attacks. Organizations using ConnectWise ScreenConnect and certain Windows systems face immediate risk and should treat these advisories with the highest priority.
## The Threat
CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect, a widely-deployed remote access and support platform used by thousands of organizations globally. This flaw allows unauthenticated attackers to bypass access controls and retrieve sensitive files from affected systems, including configuration data, authentication tokens, and other critical information.
Path traversal attacks exploit improper input validation in file access mechanisms, enabling attackers to navigate beyond intended directories. In the case of ScreenConnect, the vulnerability permits attackers to exploit the application's file-serving functionality to access resources outside the designated application directory. Given ScreenConnect's role as a gateway to internal networks, successful exploitation provides adversaries with a foothold for lateral movement and deeper system compromise.
The inclusion of these vulnerabilities in CISA's KEV catalog represents a formal acknowledgment that adversaries have not only discovered and weaponized these flaws, but are actively deploying them against U.S. critical infrastructure and private sector organizations. The agency compiles this catalog to flag threats warranting immediate remediation efforts across federal agencies and critical infrastructure sectors, though private organizations should apply the same urgency to patched vulnerabilities.
## Severity and Impact
| Aspect | Details |
|--------|---------|
| CVE Identifier | CVE-2024-1708 |
| Affected Component | ConnectWise ScreenConnect |
| CVSS Score | 8.4 (High) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
| Attack Complexity | Low |
| Authentication Required | None |
| Attack Vector | Network |
| Confidentiality Impact | High |
| Integrity Impact | Low |
| CWE Identifier | CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) |
The CVSS 8.4 rating reflects the critical nature of this vulnerability. The attack vector being network-based with no authentication requirements means attackers can exploit this flaw from anywhere on the internet without credentials or user interaction. The high confidentiality impact indicates that sensitive data is readily exposed, while the low integrity impact suggests limited modification capabilities through this particular attack vector. However, the file disclosure potential—combined with ScreenConnect's privileged position in network infrastructure—amplifies the real-world risk significantly beyond the CVSS baseline.
## Affected Products
ConnectWise ScreenConnect:
Users operating on older or unpatched versions should treat patching as critical, not a standard maintenance window.
Microsoft Windows:
A secondary Windows vulnerability has also been added to the KEV catalog. Organizations should check Microsoft's official security updates and CISA advisories for complete details on affected Windows versions and build numbers, prioritizing systems in exposed network positions.
## Mitigations
Immediate Actions:
1. Apply Security Patches - ConnectWise has released fixed versions addressing CVE-2024-1708. Organizations should update to version 24.1.1 or later immediately. Download patches directly from ConnectWise portals and verify cryptographic signatures before installation.
2. Deploy Network Controls - Implement strict access controls limiting ScreenConnect exposure to trusted networks. Use firewalls and VPN segmentation to restrict administrative and support tool access from the general internet where possible.
3. Monitor for Exploitation - Review web server and application logs for suspicious file access patterns, particularly requests containing path traversal sequences (e.g., ../, ..\\) targeting configuration directories. Enable detailed logging if not already active.
4. Audit File Access - If operating vulnerable versions, conduct an audit of accessed resources and potentially compromised data. Check for unauthorized access to configuration files, credential stores, and system information that may have been extracted.
5. Credential Rotation - If evidence of exploitation exists, rotate credentials for accounts managed within ScreenConnect, including administrative accounts, API tokens, and any embedded service credentials.
Longer-Term Hardening:
## References
---
Timeline for Action: Organizations operating ConnectWise ScreenConnect should prioritize patching within 24-48 hours. Given active exploitation in the wild and CISA's formal warning, delay increases breach probability significantly. For Windows environments, follow Microsoft's patching guidance aligned with your organization's change management procedures, but treat these updates as critical rather than standard updates.