CISA KEV Alert: ConnectWise ScreenConnect Path Traversal (CVE-2024-1708) & Windows Flaws
Just caught the latest KEV update from CISA today—looks like they've officially added CVE-2024-1708 impacting ConnectWise ScreenConnect, alongside a Microsoft Windows flaw, citing evidence of active exploitation.
Given how widespread ScreenConnect is in the MSP space, this CVE (CVSS 8.4) is particularly nasty. It allows attackers to perform path traversal, effectively bypassing authentication to execute code on the host. Since ScreenConnect often runs as System or a high-privilege service user, the impact is immediate compromise of the managed endpoint.
If you're hunting for this in your environment, check your web server logs for the authentication bypass attempts. The exploit chain often involves specific URI patterns to escape the web root.
Here is a regex pattern to help flag potential traversal attempts in your SIEM:
regex ../|%2e%2e|.%5c|%2e%5c
And a Python snippet to scan your log exports locally for these indicators targeting the ScreenConnect web paths:
import re
log_file = "access.log"
# Matches traversal attempts against ScreenConnect endpoints
pattern = re.compile(r"(\/Services\.asmx|\/Host\.asmx).*(\.\.\/|%2e%2e)")
with open(log_file, 'r') as f:
for line in f:
if pattern.search(line):
print(f"Suspicious entry found: {line.strip()}")
For the Windows flaw CISA added, standard WSUS patching hygiene applies, but given the KEV tag, prioritize it above standard rollout this week.
Who here has had to emergency patch ScreenConnect today? How are you handling RMM tool exposure at the edge—VPN only, or behind a ZTNA gateway?
We saw a spike in scanning activity against port 8040 about two hours before the CISA alert dropped. It seems threat actors are mass-scanning for unpatched instances.
We pushed the patch via Intune immediately, but for detection, we're also looking for suspicious child processes spawned from the ScreenConnect service binary. Usually, ScreenConnect.ClientService.exe shouldn't be spawning powershell.exe or cmd.exe.
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Message -like '*ScreenConnect*' -and $_.Message -like '*powershell.exe'}
If you see that, you're likely already compromised.
As an MSP owner, this is a nightmare scenario. We have about 200 clients using ScreenConnect for remote access. We've historically exposed the web interface for convenience, but we are pivoting to forcing it behind a TailScale VPN mesh immediately.
It's not just the patching; it's the exposure. The path traversal flaw (CVE-2024-1708) is trivial to exploit if the authentication bypass is chained correctly. If you haven't patched yet, block access to /WebService.asmx at your edge firewall as a temporary stopgap.
Good catch on the regex, OP. I'd add that you should specifically look for URL-encoded variations in the query parameters too, as WAFs might block raw ../ but miss the encoded versions.
On the pentest side, we've been seeing a lot of RMM tools targeted lately because they are trusted by EDR solutions. Make sure you are explicitly monitoring the ScreenConnect directories for writes or modifications, not just execution.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access