NAVANEM
CVE-2024-1708⚡ exploited in the wild

ConnectWise ScreenConnect, path traversal in extension upload

ConnectWise ScreenConnect 23.9.7 and prior is affected by a path traversal vulnerability allowing access to or modification of items outside of the intended directory structure.

Overview

CVE-2024-1708 is a high-severity path traversal vulnerability affecting ConnectWise ScreenConnect, a popular remote desktop and access software widely used by Managed Service Providers (MSPs). The vulnerability exists in the extension upload mechanism and allows an authenticated administrator to write files outside the intended extension directory to arbitrary locations on the host filesystem.

This vulnerability gained significant attention when it was actively exploited in February 2024 as part of a mass-exploitation campaign, typically chained with CVE-2024-1709 (an authentication bypass vulnerability) to achieve full server takeover with persistent filesystem control.

Technical Details

The vulnerability stems from improper validation of the destination path in ScreenConnect's extension upload functionality. When an authenticated administrator uploads an extension, the application fails to properly sanitize or validate the file path, allowing directory traversal sequences to escape the intended App_Data\Extensions\ directory.

In practical exploitation scenarios, attackers leverage this flaw to:

  • Drop webshells into the IIS web root directory
  • Replace legitimate binaries on disk with malicious versions
  • Write arbitrary files anywhere on the host filesystem

The vulnerability is particularly dangerous when combined with CVE-2024-1709, which allows attackers to bypass authentication and create administrative accounts. This chain converts an unauthenticated attacker into one with full filesystem control over the ScreenConnect server.

Impact

The impact of CVE-2024-1708 is severe, especially given the nature of ScreenConnect as remote access software used extensively by MSPs:

  • Full filesystem control: Attackers can write, modify, or replace any file on the server
  • Persistent access: Webshells and backdoors can be deployed for long-term access
  • Supply chain risk: Compromised MSP infrastructure can lead to downstream attacks on managed clients
  • Mass exploitation: This vulnerability was actively exploited in February 2024 in widespread attacks targeting ScreenConnect installations

Mitigation

  1. Immediate upgrade: Update to ConnectWise ScreenConnect version 23.9.8 or later, which addresses both CVE-2024-1708 and CVE-2024-1709
  2. File system review: Examine the App_Data\Extensions\ directory and IIS web root for suspicious files added during the exposure window
  3. Binary integrity check: Verify system binaries and configuration files in the ScreenConnect installation tree have not been modified
  4. Network isolation: If immediate patching is not possible, restrict network access to the ScreenConnect server

Detection

  • Monitor for unexpected files in the IIS web root and ScreenConnect directories
  • Review web server logs for unusual extension upload activity
  • Check for modified timestamps on system binaries within the ScreenConnect installation
  • Hunt for webshell indicators such as ASPX files with suspicious content in web-accessible directories
  • Correlate with indicators of CVE-2024-1709 exploitation (unauthorized admin account creation)