How to Mitigate Actively Exploited ConnectWise ScreenConnect and Windows Vulnerabilities

Introduction

On a recent Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog, signaling that attackers are actively exploiting them in the wild. The vulnerabilities affect ConnectWise ScreenConnect and Microsoft Windows. One of them is CVE-2024-1708, a path-traversal issue in ConnectWise ScreenConnect with a CVSS score of 8.4. The other (unnamed in the original advisory) is a Windows flaw. This how-to guide walks you through the steps to identify, patch, and protect your environment against these threats. By following this action plan, you can reduce your risk of compromise.

What You Need

• Administrative access to your ConnectWise ScreenConnect server
• Administrative credentials for Windows systems in your organization
• Internet access to download patches and updates
• CISA KEV catalog URL for reference
• Vulnerability scanning tool (optional but recommended)
• Communication channels to notify users of downtime

Step-by-Step Guide

1. Step 1: Identify ConnectWise ScreenConnect Instances

   First, locate all servers and on-premises installations of ConnectWise ScreenConnect. Check version numbers. The vulnerable versions are those prior to the patch released for CVE-2024-1708. Run the following command on the server or check the admin interface under About. If you are unsure, refer to the ConnectWise security bulletin. Also review your asset inventory for any self-hosted instances. Make a list of affected systems.

2. Step 2: Apply the ConnectWise Patch

   ConnectWise has released a fix for CVE-2024-1708. Download the latest version from their official site and apply it to all vulnerable servers. Follow these sub-steps:

   • Back up your ScreenConnect database and configuration.
   • Schedule a maintenance window.
   • Apply the update using the installer or manual upgrade steps detailed in the bulletin.
   • After patching, restart the service and verify the version number.

   If an immediate patch is not possible, apply the workaround: restrict network access to the ScreenConnect server from untrusted sources, and disable the guest access feature if enabled. Monitor logs for exploitation attempts (path traversal patterns).

3. Step 3: Identify the Windows Vulnerability

   CISA did not specify the CVE for the Windows flaw in the original announcement, but it is listed in the KEV catalog. Visit CISA KEV and search for 'Windows' to find the exact CVE. As of this writing, the vulnerability may be a privilege escalation or remote code execution issue. Check your Windows versions and see if they match the affected products in the advisory. Common targets include Windows Server and Windows 10/11.

4. Step 4: Apply Windows Security Updates

   Patch affected Windows systems immediately. Use either Windows Update, WSUS, or your patch management tool. Ensure all critical updates from the latest Patch Tuesday are installed. Reboot if required. For high-priority systems, follow these steps:

   • Test the patch in a non-production environment first if possible.
   • Deploy via Group Policy or SCCM to all endpoints.
   • After installation, verify the update is listed in wmic qfe list or the Settings app.

   If patching is delayed, implement mitigations such as enabling firewall rules to block inbound connections from untrusted networks, disabling unnecessary services, and applying Microsoft's recommended workarounds if any.

   

5. Step 5: Verify Patching and Monitor for Exploitation

   After applying patches, use a vulnerability scanner (e.g., Nessus, Qualys) to confirm that the CVEs are no longer detected. Additionally, monitor your security tools for signs of exploitation attempts. Look for:

   • Unusual network traffic from ConnectWise ScreenConnect servers
   • Path traversal patterns in web logs (e.g., ../ sequences)
   • Windows event logs showing abnormal privilege escalations or service crashes

   Enable alerts for any attempts to exploit these CVEs. If you detect an incident, follow your incident response plan immediately.

6. Step 6: Harden Your Environment Against Future Threats

   Beyond patching, reduce your attack surface. Consider these improvements:

   • Segment ConnectWise ScreenConnect servers from the rest of your network.
   • Implement multi-factor authentication for admin interfaces.
   • Keep an updated asset inventory and apply patches within 48 hours for actively exploited vulnerabilities.
   • Subscribe to CISA alerts and vendor security bulletins.
   • Conduct regular vulnerability assessments.

Tips for Long-Term Security

• Stay Informed: Bookmark the CISA KEV catalog and review it weekly, especially after Patch Tuesday.
• Automate Patching: Use patch management tools to deploy critical updates without manual intervention.
• Test Workarounds: If a patch isn't available, test any recommended workarounds in a lab first.
• Communicate: Notify your team about high-priority vulnerabilities and ensure everyone understands the risks.
• Backup Regularly: In case of exploitation, have recent backups to restore systems quickly.

By following these steps, you can effectively address the actively exploited ConnectWise ScreenConnect and Windows flaws. Act now—these vulnerabilities are being used in real attacks. For more details, refer to the CISA KEV catalog and the respective vendor advisories.