Overview: CISA Adds Two Actively Exploited Flaws to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog with two security flaws that are being actively exploited in the wild. These vulnerabilities target ConnectWise ScreenConnect and an unspecified Microsoft Windows component, prompting an urgent advisory for organizations to take immediate remediation steps.

The KEV catalog serves as a critical resource for prioritizing patching efforts, as it lists vulnerabilities that have confirmed evidence of exploitation. Inclusion in this list means that federal civilian agencies must apply mitigations within specified timelines, and it strongly recommends that all organizations do the same.

Details of the Vulnerabilities

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal

CVE-2024-1708 (CVSS score of 8.4, High severity) is a path traversal vulnerability affecting ConnectWise ScreenConnect. This flaw allows an authenticated attacker to traverse the file system beyond the intended directory, potentially reading or writing arbitrary files. Such access can lead to remote code execution if the attacker leverages the ability to write malicious files or manipulate configurations.

ConnectWise ScreenConnect is a widely used remote desktop and support tool, making this vulnerability particularly dangerous for managed service providers (MSPs) and IT departments that rely on the platform for remote access. The active exploitation evidence indicates that attackers are already weaponizing this flaw to compromise systems.

Microsoft Windows Vulnerability (CVE Not Yet Disclosed)

The second flaw, related to Microsoft Windows, has not been assigned a public CVE identifier at the time of this writing. CISA has confirmed active exploitation based on threat intelligence, but specific technical details remain undisclosed to allow time for remediation. The vulnerability affects an unspecified component of the Windows operating system, and organizations are urged to apply the latest security patches from Microsoft.

Impact and Risk

Both vulnerabilities present significant risks to enterprise environments. The ConnectWise flaw can enable attackers to gain deep access within a network, often used as a launchpad for ransomware or data exfiltration. The Windows vulnerability could potentially affect millions of endpoints, granting elevated privileges or remote execution capabilities.

Given that active exploitation is underway, the window for proactive defense is narrow. Organizations that use ConnectWise ScreenConnect should immediately apply the vendor-supplied patch (version 23.9.8 or later) and review their configurations. For Windows, ensure that all available security updates from Microsoft are installed, especially those released on the latest Patch Tuesday.

Recommended Actions

CISA strongly advises all organizations to:

• Immediately patch ConnectWise ScreenConnect to the latest version that addresses CVE-2024-1708. Refer to the ConnectWise security advisory for detailed instructions.
• Apply all pending Windows updates from Microsoft, as the actively exploited flaw is likely included in recent cumulative updates.
• Monitor logs for signs of exploitation, such as unusual file access patterns or unexpected outbound connections.
• Ensure that remote access tools are secured with multi-factor authentication and least-privilege principles.

Understanding the KEV Catalog

The Known Exploited Vulnerabilities catalog is part of CISA's Binding Operational Directive (BOD) 22-01, which requires federal agencies to remediate listed vulnerabilities by specific due dates. While the directive is mandatory only for federal entities, CISA strongly encourages all public and private organizations to treat KEV entries as top priorities for patching. The catalog is updated dynamically based on threat intelligence and incident response findings.

Conclusion

The addition of these two vulnerabilities underscores the ongoing threat landscape where attackers quickly exploit known weaknesses. Organizations using ConnectWise ScreenConnect or relying on Microsoft Windows must act swiftly to reduce their attack surface. By following CISA's guidance and applying the necessary patches, defenders can stay ahead of active campaigns targeting these flaws.

Additional Resources

For more information on patching ConnectWise ScreenConnect, visit ConnectWise Security Bulletins. For Windows update details, refer to the Microsoft Security Response Center. CISA's KEV catalog can be accessed at CISA.gov/KEV.