HIGH: Storm-1175 Chains ConnectWise ScreenConnect Bugs to Drop Medusa Ransomware (CVE-2024-1708)

ScreenConnect's path traversal flaw is back in the news, which is impressive for a bug ConnectWise patched two years ago. CISA dropped CVE-2024-1708 into the Known Exploited Vulnerabilities catalog on April 28, 2026, with a federal mitigation deadline of May 12. The hook this time is that Storm-1175, a China-aligned threat group with documented Medusa ransomware ties, has been quietly working through unpatched ScreenConnect instances and chaining them with the older CVE-2024-1709 authentication bypass to land on managed service provider infrastructure. From there the path to a ransomware payday is short, and several MSPs have already been on the wrong end of it.

The technical anchor is a path traversal vulnerability in ConnectWise ScreenConnect 23.9.7 and earlier. CVSS 3.1 places it at 8.4 with the vector AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H, classified as CWE-22 improper limitation of a pathname to a restricted directory. On its own that is bad enough, since an attacker who reaches the management interface can read and write files outside the intended tree and stage code execution. Chained with CVE-2024-1709, the SlashAndGrab authentication bypass that earned a flat CVSS 10.0 in early 2024, the prerequisite high privileges effectively disappear. The bypass gets an attacker administrative access, the path traversal turns that into remote code execution, and the resulting compromise of the ScreenConnect server is functionally a compromise of every endpoint that server manages.

ConnectWise shipped fixes in February 2024. ScreenConnect 23.9.8 closes both bugs in self-hosted deployments, and the cloud tenants were patched centrally by the vendor. The patches landed inside a 48-hour public-disclosure window after Huntress published its analysis, which was an unusually fast vendor response and reflected how thoroughly the issues were already being weaponized. By the time the patch dropped, mass-scanning operators and ransomware affiliates were already enumerating internet-exposed ScreenConnect instances. Two years later, the same scanning activity continues, and the population of unpatched servers, while smaller, is still nontrivial. Shadowserver's daily exposure feeds have shown a long tail of ScreenConnect instances on outdated versions throughout 2025 and into 2026.

Storm-1175, the actor named in Microsoft and CISA reporting on this campaign, is the same crew tied to multiple Medusa ransomware intrusions over the past 18 months. The pattern observed in current incidents follows a now-familiar script. Storm-1175 scans for vulnerable ScreenConnect deployments, chains the auth bypass with the path traversal to gain code execution on the ScreenConnect server, deploys reconnaissance tooling and credential collectors, then pivots downstream through the RMM agents the server controls. Because ScreenConnect lives precisely to push commands and code to thousands of managed endpoints, the lateral movement step is essentially built into the product. Push a ransomware loader to every connected machine, kick off Medusa, walk away with the ransom note. The Medusa group has been actively negotiating six and seven-figure ransoms throughout 2026, and several affiliates are running ScreenConnect-pivot intrusions specifically because the blast radius justifies the investment.

The KEV addition matters even though the underlying CVE is old. Federal civilian agencies now have a hard deadline of May 12, 2026 to remediate. Beyond the federal scope, the listing pushes the vulnerability into compliance frameworks that reference CISA KEV directly, which means contractors, healthcare organizations under HHS guidance, and a growing list of state and local entities are now formally on the hook to verify they are patched. For MSPs, the implication is sharper still. Any client in a regulated vertical can reasonably ask for evidence that their managed services provider has remediated the bug across the entire fleet, including the MSP's own internal ScreenConnect tenant.

Detection where exposure exists should focus on the indicators of the SlashAndGrab and path traversal chain. ScreenConnect server logs will show anomalous SetupWizard requests targeting the user.xml file, which is the canonical fingerprint of the auth bypass. Outbound connections from the ScreenConnect process to unusual destinations, particularly during off-hours, indicate post-exploitation activity. On managed endpoints, the RMM agent suddenly executing PowerShell payloads or downloading binaries from non-corporate domains is the downstream signal that the server above has been turned. Huntress, Sophos, and CrowdStrike have all published detection content for the original 2024 campaign, and most of those rules continue to fire on the current Storm-1175 activity because the tradecraft has not meaningfully changed.

Mitigation for environments still running affected versions is unambiguous. Update self-hosted ScreenConnect to 23.9.8 or later immediately. The vendor has shipped multiple subsequent releases through 2025 and 2026, and any deployment more than a single major version behind should be treated as suspect even if it claims to be patched. Cloud-hosted tenants should already be remediated, but operators should verify their current build through the ConnectWise admin console anyway. Network controls help reduce blast radius even on patched servers. The ScreenConnect management interface should never be directly exposed to the internet without an additional authentication layer in front of it. Geographic IP filtering, mandatory VPN access, and SSO with phishing-resistant MFA are all reasonable hardening steps that an MSP can implement without disrupting client support workflows. ConnectWise itself recommends moving toward conditional access enforcement for the management plane, and the documentation has improved noticeably over the past year.

Threat hunting teams should specifically validate the integrity of the ScreenConnect installation directory, looking for unauthorized files in the App_Data path, modified user.xml entries, and any extension binaries that did not arrive through normal vendor channels. The path traversal flaw enabled writes outside the intended directory, so cleanup after a confirmed compromise needs to extend beyond the server installation tree itself. Forensic analysis of historical intrusions has surfaced web shells dropped to IIS configuration paths, scheduled tasks that re-establish persistence after a reboot, and registry modifications that disable defender services on the underlying Windows host. Wiping and reimaging the ScreenConnect server is the conservative answer once compromise is confirmed, and given the access ScreenConnect has to downstream environments, the conservative answer is usually the right one.

The MSP business angle on this story almost writes itself, which is unusual but appropriate. Every managed service provider that runs ScreenConnect, whether for their own clients or as a downstream tool inside a larger stack, is a potential Storm-1175 target. The conversation with prospective clients now includes a credible question. How does your MSP secure its own RMM infrastructure, and can you provide evidence of patch currency and access controls. MSPs that can answer that question with confidence have a competitive differentiator. Those who cannot have a problem. There is real upsell room here for security services around RMM hardening, dedicated MDR coverage of remote management infrastructure, and tabletop exercises specifically modeling RMM compromise scenarios. The same intrusion that ruins a competitor's quarter is a marketing case study for the MSP that invested in defense in depth.

The closing point is the same one that has applied since February 2024. ScreenConnect is critical infrastructure for the organizations that run it. CISA listing a two-year-old bug in April 2026 is a reminder that patch debt does not fade with time. Pull your inventory. Confirm every ScreenConnect instance in the environment is on a current build. Audit the access path to the management interface. Then turn the same audit on every other RMM and remote support tool in the stack, because the actors who run Storm-1175 playbooks do not limit themselves to one vendor.