Remote Monitoring and Management (RMM) tools are the “skeleton keys” of the IT world. When they are secure, they provide seamless support; when they are vulnerable, they offer attackers a high-speed lane into corporate infrastructure.
On April 28, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent mandate by adding CVE-2024-1708 to its Known Exploited Vulnerabilities (KEV) catalog. This move confirms that threat actors are actively weaponizing a path traversal flaw in ConnectWise ScreenConnect to bypass security perimeters and seize control of critical systems. +1
Technical Breakdown: The “Zip Slip” Exploit
The vulnerability, tracked as CVE-2024-1708 (CWE-22), is a high-severity path traversal weakness. Historically part of the devastating “SlashAndGrab” exploit chain, this flaw allows an attacker to manipulate file paths during the extension upload process. +1
How the Attack Works:
- The “Zip Slip” Maneuver: Attackers upload a specially crafted
.zipextension. - Path Manipulation: The server, failing to validate the filenames within the archive, follows “dot-dot-slash” (
../) sequences provided by the attacker. - Arbitrary Write: The malware is “slipped” out of the intended directory and dropped directly into the application’s web root or other sensitive folders.
- Remote Code Execution (RCE): By navigating to the dropped file (often a webshell), the attacker gains system-level privileges to execute commands.
The Threat Landscape: Ransomware and Supply Chains
While CISA currently lists the specific threat actors as “Unknown,” the exploitation of RMM tools is a hallmark of major ransomware syndicates and state-sponsored groups.
- Lateral Movement: Because ScreenConnect is often installed on servers with administrative rights, a single compromise can lead to a “mass-infection” event across every client device managed by that server.
- Historical Context: Previous versions of this exploit have been linked to North Korean (Chollima) and China-linked cybercriminals, who use the access to deploy ransomware or sell “Initial Access” to the highest bidder.
CISA Deadline and Required Actions
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies have been given a hard deadline to remediate this flaw. Private sector organizations are strongly urged to follow the same timeline.
Critical Deadline: May 12, 2026
Immediate Defensive Steps:
- Patch Now: Update ConnectWise ScreenConnect to the latest secure version (23.9.8 or higher) immediately.
- Audit Extensions: Inspect
C:\Program Files (x86)\ScreenConnect\App_Extensions\for unauthorized.aspx,.ashx, or.exefiles. Legitimate extensions should be in GUID-named subfolders. - Monitor for Admin Anomalies: Review logs for the creation of unexpected administrator accounts (e.g., accounts named “admin”, “test”, or “flash”).
- Isolate if Unpatched: If you cannot apply the patch immediately, discontinue use of the ScreenConnect service or isolate it behind a strict VPN with MFA.
Conclusion: The Urgency of RMM Security
The inclusion of CVE-2024-1708 in the KEV catalog is the strongest possible signal that this is no longer a theoretical risk. For IT departments and MSPs, patching this flaw is the difference between a routine Tuesday and a catastrophic supply chain breach.
