{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2024-1708/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2024-1708"}],"_cs_exploited":false,"_cs_products":["ScreenConnect"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","remote-code-execution","cve-2024-1708","connectwise"],"_cs_type":"advisory","_cs_vendors":["ConnectWise"],"content_html":"\u003cp\u003eCVE-2024-1708 is a critical path traversal vulnerability affecting ConnectWise ScreenConnect. This flaw could allow an unauthenticated attacker to execute remote code or directly access confidential data and critical systems. ConnectWise released security bulletin 23.9.8 to address this vulnerability. Given the potential for remote code execution and data compromise, this vulnerability poses a significant risk to organizations using ConnectWise ScreenConnect, potentially allowing full system takeover. CISA added this to their KEV catalog and recommends applying mitigations per vendor instructions, following BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a ConnectWise ScreenConnect server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing a path traversal payload targeting a vulnerable endpoint within ScreenConnect. This payload is designed to bypass authentication checks.\u003c/li\u003e\n\u003cli\u003eThe ScreenConnect server processes the malicious request, and the path traversal vulnerability allows the attacker to access files outside of the intended webroot directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the file access to read sensitive configuration files, potentially containing credentials or other sensitive information.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uploads a malicious executable (e.g., a web shell) to a writeable directory accessible via path traversal.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the uploaded web shell, gaining remote code execution on the ScreenConnect server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised ScreenConnect server as a pivot point to move laterally within the internal network, escalating privileges and compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware, disrupting business operations and causing significant financial damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-1708 can lead to complete compromise of ConnectWise ScreenConnect servers and potentially the entire network. Attackers could exfiltrate sensitive data, deploy ransomware, or use the compromised systems for lateral movement. Given the widespread use of ScreenConnect in MSP environments, a successful attack could impact numerous downstream clients, causing widespread disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the mitigations provided by ConnectWise in security bulletin 23.9.8 to patch CVE-2024-1708.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious ScreenConnect Path Traversal Attempts\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from ScreenConnect servers, as this could indicate post-exploitation activity.\u003c/li\u003e\n\u003cli\u003eReview and harden the configuration of ConnectWise ScreenConnect servers, following security best practices to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-29-screenconnect-path-traversal/","summary":"CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect that could allow an attacker to execute remote code or directly impact confidential data and critical systems.","title":"ConnectWise ScreenConnect Path Traversal Vulnerability (CVE-2024-1708)","url":"https://feed.craftedsignal.io/briefs/2024-04-29-screenconnect-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2024-1708","version":"https://jsonfeed.org/version/1.1"}