When a new vulnerability is uncovered, IT and security teams need to work fast to protect against it. For ConnectWise ScreenConnect users, that time is now, as the CVE-2024-1708 vulnerability is actively exploited.
CISA added CVE-2024-1708 to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The vulnerability carries a high-severity CVSS score of 8.4 and can allow remote code execution or directly impact confidential data and critical systems
When remote support platforms are vulnerable to attack, the damage can extend to multiple endpoints, servers, and systems. As such, organizations should know what to do when vulnerabilities like this are discovered.
What Happened With ConnectWise ScreenConnect?
The Cybersecurity and Infrastructure Security Agency (CISA) recently added two vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, including CVE-2024-1708. This is a path traversal vulnerability affecting ConnectWise ScreenConnect 23.9.7 and prior. The vulnerability can allow attackers to execute remote code or directly impact confidential data and critical systems, making it a high-severity risk with a CVSS score of 8.4.
ConnectWise released fixes for the vulnerability in February 2024. However, CISA’s KEV update shows that unpatched instances remain a current security concern.
CVE-2024-1708 has also been observed in exploit activity involving CVE-2024-1709, a critical ScreenConnect authentication bypass vulnerability with a CVSS score of 10.0. Together, these vulnerabilities reinforce why ScreenConnect users should confirm patch status and review their environments for signs of exposure.
Why the ScreenConnect Exploitation Matters for IT Teams
Any software vulnerability is a threat worth mitigating, especially those that have evidence of active exploitation. And for remote support software, the risk can be even more severe than it seems at first glance.
Remote support tools can connect technicians to systems, provide administrative access, and manage both attended and unattended devices across environments. As such, they’re high-value targets for attackers, as successfully compromising the tool can provide access to multiple endpoints.
Given the damage that compromised remote support can cause, the exploitation of the ScreenConnect vulnerability serves as a stark reminder of the importance of securing remote support software. IT teams need to keep patches up to date, maintain access governance, enable audit logging, and quickly identify exposed software so they can address it, otherwise they may put multiple users and devices at risk.
What Makes CVE-2024-1708 Especially Important?
There’s no shortage of vulnerabilities out there, but their severity can vary significantly. With a CVSS score of 8.4, CVE-2024-1708 ranks as a “High” severity vulnerability, but what is it that makes it so critical?
Several factors make this vulnerability operationally important for IT teams:
1. It Affects a Remote Support Platform
As mentioned, vulnerabilities that impact remote support platforms can have far-reaching consequences, as these platforms are used to manage other systems. When a remote support solution is compromised, it’s typically already deployed, trusted, and tied to privileged workflows, making it easy for attackers to run wild across connected devices.
An exposed remote support tool can create an entry point into broader IT operations, putting entire networks at risk.
2. It Has Been Chained With a Critical Authentication Bypass
A vulnerability on its own can pose a threat, but when combined with another, even more critical vulnerability, that threat can escalate exponentially. In this case, CVE-2024-1708 has been chained with CVE-2024-1709, a critical authentication bypass vulnerability with a CVSS score of 10.0.
As a result, the threat can quickly increase from “High” to “Critical” if the two vulnerabilities are not addressed. IT teams need to evaluate vulnerabilities in context, as combined attacks can pose even greater threats.
3. Exploitation Has Been Linked to Ransomware Activity
Various exploitations can have different consequences, but the CVE-2024-1708 vulnerability has been linked to ransomware attacks, making it a high-priority threat. Ransomware can lock entire networks or systems up until the ransom is paid, resulting in significant losses of money, productivity, and customer trust. As such, an actively exploited vulnerability that can lead to ransomware attacks needs to be a high priority.
4. Older Vulnerabilities Can Remain High Priority
Just because a vulnerability is old doesn’t mean it’s no longer a threat. CVE-2024-1708 was fixed in February 2024, but can still be actively exploited if not properly mitigated.
All too often, vulnerability management focuses on the newest threats and most recent disclosures. However, old threats still exist, so IT teams need visibility into older vulnerabilities that may still exist across their servers, endpoints, or infrastructure, especially if they’re still being exploited.
What IT Teams Using ScreenConnect Should Check
If your company uses ConnectWise ScreenConnect, you might be wondering what to do to ensure you aren’t a victim of this exploit. We’ve compiled a helpful checklist of steps you can take to protect your network and devices:
Confirm whether ScreenConnect is deployed in your environment: The first step should be to identify all cloud, on-premise, self-hosted, and legacy instances of ScreenConnect you might be running. This will ensure you’re looking at the right devices and don’t miss any instances.
Check the version running on each instance: Even if you’re running ScreenConnect, it might be a version that’s not at risk. Check and confirm if any ScreenConnect deployment is running a version affected by CVE-2024-1708 (or any related ScreenConnect vulnerabilities).
Verify patch status: If your devices are properly patched, you may already be safe. Your next step should be to check your patch status and confirm that updates were applied successfully (not just scheduled or assumed complete).
Review internet exposure: Determine whether any ScreenConnect instance, server, or management interface is externally reachable. If it is, confirm that access is restricted, patched, monitored, and limited to authorized administrators.
Review admin users and permissions: Old accounts that retain access permissions can be a major cybersecurity vulnerability. Be sure to check for unnecessary administrator accounts, stale users, excessive privileges, and any accounts missing Multi-Factor Authentication (MFA) that could be compromised.
Inspect logs for suspicious activity: Inspecting logs can help identify if any accounts are already compromised. Look for unexpected sessions, unknown users, configuration changes, new accounts, or any abnormal access patterns that could indicate a bad actor.
Evaluate downstream impact: Identifying the potential impact of an attack is also important, especially if you manage multiple devices. MSPs and IT teams supporting multiple environments should verify whether customer or managed endpoints may be affected and take steps to protect them.
Document remediation steps: Keeping clear documentation is essential. Record what was checked, updated, and reviewed, and maintain evidence for audits or incident response.
What This Means for Remote Support Security
If you want to avoid CVE-2024-1708 and other similar threats, good security for your remote support software is essential. With strong security features and endpoint management, you can improve your defenses against vulnerabilities and attacks, but this requires strategy and planning.
A secure remote support strategy should account for:
Patching speed and update reliability, preferably including patch automation.
Centralized visibility into devices and the software deployed on them.
Strong authentication, including MFA and Single Sign-On (SSO) where appropriate.
Granular technician permissions and Role-based access controls (RBAC) to control who has access to what.
Session logging and audit trails to maintain accountability and identify suspicious activity.
Secure unattended access controls.
Clear visibility into which devices can be accessed remotely.
Fast response workflows for if/when a vulnerability affects the remote support infrastructure.
Integration between remote support, endpoint visibility, and patch remediation to improve workflows and keep everything in one place.
Questions to Ask When Evaluating Remote Support Tools
Secure remote support requires a solution with strong access controls, clear visibility, reliable patching, and audit-ready logging. While there are many remote support tools on the market, it’s important to evaluate your options and determine which ones meet all your needs.
When looking at remote support software, consider the following:
Can admins enforce MFA, SSO, and granular access permissions?
Can technician access be limited? If so, is it limited by user, group, device, or role?
Are session logs available for review and audit?
Can unattended access be controlled and limited to authorized users?
How quickly can security updates be tested, deployed, and verified?
Can IT teams identify outdated software across their environment?
Does the platform support visibility across distributed, hybrid, and remote endpoints?
Can IT teams manage patching and remediation workflows without needing to manually follow-up?
Does the solution combine remote support with endpoint management capabilities?
How Splashtop Helps IT Teams Strengthen Remote Support Security
If you want to empower your IT teams to support users and endpoints across a distributed environment, you need a robust and secure remote support solution and endpoint management. Fortunately, Splashtop can provide just that.
Splashtop gives IT teams the secure remote access and support they need to manage remote devices from anywhere, with centralized controls built for distributed remote and hybrid work environments. With it, teams can manage users, devices, and permissions from a single place, remotely access devices for hands-on troubleshooting, and maintain the visibility they need to support remote environments.
With Splashtop AEM (Autonomous Endpoint Management), IT teams can support devices across their network with automated threat detection, patch management, and more. Splashtop AEM provides real-time patching, CVE-based insights, policy-based automation, and visibility across endpoints, all from a single user-friendly dashboard. This helps IT teams move from reactive to proactive, improving security across devices.
Splashtop includes:
Secure remote access and remote support across operating systems and devices.
Centralized admin controls and granular permissions to make management easy and efficient.
SSO/SAML, MFA, logging, and recording options to keep each session secure.
Splashtop AEM for real-time patch management across operating systems and third-party applications.
Endpoint inventory and reporting to help identify vulnerable software at a glance.
CVE-based threat detection and insights to support patch prioritization.
1-to-many actions and automation to reduce repetitive manual work.
Centralized dashboards that provide visibility into patch status, endpoint health, and audit readiness.
Stay Ahead of Vulnerabilities
The ConnectWise ScreenConnect vulnerability is a stark reminder about the need for robust security for remote support platforms. These are critical IT infrastructure and should be treated as such, with strong access controls, reliable patching, and clear endpoint visibility.
Remote support is an excellent way to assist users and troubleshoot devices from anywhere, but the level of access it provides can become a threat without a secure, up-to-date solution. IT teams should take the time to verify if they’re exposed, confirm their patch statuses, and evaluate if their remote support tools provide the security and control they need.
If your current remote support tool does not provide the visibility, access control, and endpoint management workflows your team needs, it may be time to evaluate a more secure and streamlined approach.
See how Splashtop helps IT teams deliver secure remote support and endpoint management from one platform. Start your free trial today.
