The other half of the ScreenConnect chain just got a 2026 deadline

On April 28, 2026, CISA gave CVE-2024-1708 a remediation deadline of May 12. That’s the ScreenConnect path-traversal bug. It was patched in February 2024, mass-exploited in February 2024, and chained into ransomware in February 2024. Its sibling, the CVSS 10 authentication bypass, has been on the Known Exploited Vulnerabilities catalog since February 22, 2024. The path-traversal half waited two more years for its own line in the catalog.

If you patched ScreenConnect in early 2024, this changes nothing for you. The fix for both bugs is the same build. But the two-year gap between the two halves of one exploitation chain is worth a second look, because it says something about how the catalog works and what a fresh KEV entry does and doesn’t mean.

The two bugs are one attack

ConnectWise published its advisory on February 19, 2024, disclosing two vulnerabilities in on-premise ScreenConnect 23.9.7 and earlier. CVE-2024-1709 is an authentication bypass (CWE-288), CVSS 10.0, no privileges and no user interaction required. CVE-2024-1708 is a path traversal (CWE-22), CVSS 8.4. Both were fixed in build 23.9.8.

On their own, neither is the whole story. Together they’re a clean remote-code-execution chain. The auth bypass came from a routing flaw: requesting the /SetupWizard.aspx/ endpoint with essentially any trailing path segment let an unauthenticated attacker reach the first-run setup wizard on an already-configured server, per Huntress’s “SlashAndGrab” analysis. From there an attacker creates a fresh administrator account and owns the application.

That alone is bad. The path traversal is what makes it terminal. ScreenConnect’s extension mechanism unpacks uploaded archives, and the unpacking didn’t constrain where files landed, a classic “zip slip.” An attacker with the admin account they just minted uploads a poisoned extension, and the archive writes an ASPX web shell into a server-controlled directory. ScreenConnect runs as SYSTEM, so the shell does too. Auth bypass gets you in; the traversal gets you SYSTEM-level code execution. The CVSS 10 was the door. The 8.4 was the floor giving way behind it.

What happened in 2024

Exploitation was fast and broad. Within roughly a day of the patch, proof-of-concept code was public and opportunistic scanning was underway. Shadowserver counted about 3,800 vulnerable internet-facing instances on February 20; Unit 42 observed 18,188 unique IPs hosting ScreenConnect globally on February 21, a count that includes patched and unpatched alike. Censys tracked the vulnerable population falling from 6,000-plus on February 19 to 3,434 by February 27, which is a fast remediation curve by the standard of edge software, and still left thousands exposed during the worst week.

The post-exploitation was the part that mattered. Huntress and others observed LockBit, Black Basta, and Play affiliates using the access to deploy encryptors, alongside Cobalt Strike beacons, cryptominers, and additional remote-access tooling. That’s why the KEV entry for the auth bypass carries the ransomware flag, and why CISA set the original due date a week out instead of the usual two to three.

The reason this hit so hard is the same reason BeyondTrust and SimpleHelp keep showing up in this catalog: ScreenConnect is remote-management software. Compromising one server is rarely the goal. The server is a control plane for every endpoint it manages, so an RMM compromise is a built-in distribution channel into every downstream client. For a managed service provider running ScreenConnect, one unpatched instance is not one victim.

So why KEV the second half now

Here’s the honest answer: the public record doesn’t explain the timing, and I’m not going to invent a reason. CISA doesn’t publish per-entry rationale, and there’s no advisory tying CVE-2024-1708’s April 2026 addition to a specific new campaign. What we can say is what the catalog rules imply.

KEV inclusion requires evidence of active exploitation, not just a public PoC. The auth bypass cleared that bar instantly in 2024 because it was the headline CVE every scanner and report keyed on. The path traversal was always part of the same chain, but it was the quieter half, the implementation detail behind the RCE rather than the named door. A 2026 addition with a present-tense deadline most plausibly means CISA now has its own exploitation evidence specifically tagged to 1708, or it’s tightening the catalog so the full chain is enumerated rather than just its loudest link. Both readings point the same direction operationally, so you don’t need to resolve which it is.

What the gap should not do is make anyone think this is a new bug. It isn’t. If you’re running on-premise ScreenConnect and you patched to 23.9.8 or later at any point in the last two years, you are covered for both CVEs by that single build. There is nothing new to apply.

What to actually do

The action splits cleanly by where you stand.

• If you’re on 23.9.8 or later: you’re patched for both. The May 12 deadline is already met. No deployment work. Verify the build number in your admin console and move on.
• If you’re still on 23.9.7 or earlier: you have run a SYSTEM-level, unauthenticated, ransomware-associated RCE exposed to whoever can reach the management interface, for over two years. Patching is not the urgent question anymore. Assume compromise, hunt for unexpected administrator accounts, ASPX files in web-accessible directories, and unfamiliar extensions, then rebuild rather than trust the box.
• Regardless of version: the ScreenConnect management interface should not be open to the internet. Put it behind VPN or IP allowlisting. The entire 2024 event ran through instances that answered to anyone.

There’s a structural takeaway here too. A KEV deadline is a signal about exploitation, not a clock that starts when the entry is published. CVE-2024-1708 was as dangerous on February 21, 2024, as it is on its 2026 due date; the catalog just caught up to naming it. If your vulnerability management program treats KEV addition as the moment a bug becomes real, you’ll always be reacting to the announcement instead of the exploitation, and those two events can sit two years apart.

That gap, between when a thing starts getting used and when it gets a deadline, is the whole reason a daily read of the catalog beats a quarterly one. We flag every KEV addition the day it lands, including the ones that are really just the second half of a chain you should have closed in 2024.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2024-1709 — 2024-02-21
• NVD CVE-2024-1708 — 2024-02-21
• ConnectWise ScreenConnect 23.9.8 security bulletin — 2024-02-19
• Huntress: SlashAndGrab, the ScreenConnect vulnerability explained — 2024-02
• Unit 42 threat brief: ConnectWise ScreenConnect — 2024-02
• Censys: ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 — 2024-02
• SecurityWeek: SlashAndGrab widely exploited for malware delivery — 2024-02