CVE-2024-1708 in ConnectWise ScreenConnect: CISA KEV Confirms Active Exploitation

📅 April 30, 2026 🔴 Exploit Risk: 0.526 📊 Intelligence Score: 83/100 📰 2 sources synthesized

TL;DR — Read this first

CVE-2024-1708 is an authentication bypass vulnerability in ConnectWise ScreenConnect versions 23.9.7 and earlier.
CONFIRMED active exploitation in the wild, leading to its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog. EPSS score is high at 0.8162.
Immediate action required: Patch all vulnerable instances to version 23.9.8 or later. Prioritize publicly-facing servers.

Intelligence Metadata

First Reported Bythehackernews.com

Outbreak Velocity95 minutes spread to 2 unique domains

Consensus2 sources across 2 unique domains

CVSS ScoreNot available

EPSS Score0.8162 (81.62th percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.5265

Race LabelZERO-DAY RACE

Technical Analysis

CONFIRMED reports indicate active exploitation of CVE-2024-1708, an authentication bypass vulnerability in ConnectWise ScreenConnect. The flaw exists within the setup wizard component, which can be accessed by a remote, unauthenticated attacker on an exposed instance. By navigating to a specific path, an attacker can create a new administrator-level user, establishing an initial ingress point. Threat actors are REPORTEDLY chaining this vulnerability with a path traversal flaw (CVE-2024-1709) to achieve remote code execution (RCE). The combined attack chain allows for complete server takeover, deployment of secondary payloads like ransomware, and subsequent lateral movement into networks managed via the ScreenConnect instance.

Affected Systems

Vendor: ConnectWise

Affected Versions:

ScreenConnect 23.9.7 and earlier

Exposure: Publicly facing remote access servers. The vulnerability is remotely exploitable without authentication.

Blast Radius: High. ConnectWise ScreenConnect is widely used by Managed Service Providers (MSPs) and IT support teams for remote administration. A successful exploit can provide an attacker with privileged access to thousands of downstream client networks.

Intelligence Context

The addition of CVE-2024-1708 to the CISA KEV catalog is the primary signal for immediate action, as it CONFIRMS active, in-the-wild exploitation. The high EPSS score of 0.8162 further quantifies the high probability of exploitation activity. The 'ZERO-DAY RACE' classification indicates that exploitation was observed before or concurrently with the public disclosure, giving defenders minimal time to react. The absence of a CVSS score should be disregarded; the KEV status is a more definitive indicator of real-world risk and mandates prioritization for all organizations using the affected software, not just the federal agencies bound by the CISA directive.

Remediation & Defense

Patch immediately. This is a confirmed, actively exploited vulnerability that serves as a common ingress point for ransomware attacks. Investigate all publicly-exposed instances for signs of compromise.

Patch Status: Available

Patch Version: ConnectWise ScreenConnect 23.9.8 or later.

Workarounds:

If immediate patching is not possible, restrict access to the ScreenConnect web interface to trusted IP addresses via firewall rules.
Remove the vulnerable SetupWizard.aspx file if it exists on the server.

Detection Hints:

Review web server logs for requests to '/SetupWizard.aspx'.
Monitor for the creation of unexpected administrator-level accounts within ScreenConnect.
Look for suspicious child processes spawned by the ScreenConnect server process.

Source Timeline

thehackernews.com — First reporter
bleepingcomputer.com — Corroborating source
cisa.gov — Official KEV entry

CVE-2024-1708 ConnectWise exploit_wild kev auth-bypass RCE ransomware