Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2024-1708 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2024-1708 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect, a widely deployed remote access and support platform, that enables unauthenticated or low-privileged attackers to reach restricted file system paths and execute arbitrary code or access sensitive data.

Technical Detail

The flaw exists in ScreenConnect's file handling logic, where insufficient validation of user-supplied path input allows an attacker to traverse outside of intended directory boundaries. By crafting a malicious request that includes directory traversal sequences, an attacker can read, write, or overwrite files in sensitive locations on the host system. Successful exploitation can result in remote code execution (RCE) or direct compromise of confidential data and critical backend systems, depending on the server's configuration and privilege context.

Exploitation Status

CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities (KEV) catalog on April 28, 2026. The exploit maturity is rated Operational, meaning reliable exploit code exists and is being actively used in real-world attacks, not merely demonstrated in controlled research environments. Organizations running unpatched ScreenConnect instances should treat this as an immediate threat.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given the nature of ScreenConnect as a remote access tool with broad enterprise deployment, exploitation of this vulnerability is consistent with tactics used by ransomware operators and initial access brokers, though no named groups have been formally attributed to campaigns leveraging CVE-2024-1708 in available intelligence.

What To Do

Organizations should apply the vendor-supplied patch from ConnectWise immediately. Per CISA's binding operational directive associated with KEV listing on April 28, 2026, federal agencies are required to remediate this vulnerability without delay or apply mitigations as directed. For organizations unable to patch immediately, restricting external access to ScreenConnect instances, enforcing network-level controls to limit exposure, and reviewing server-side file integrity for signs of unauthorized modification are recommended interim steps. Detection efforts should focus on anomalous file access patterns, unexpected process spawning from the ScreenConnect service account, and outbound connections initiated by the ScreenConnect host process.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →