KB-2295 Information about the ConnectWise ScreenConnect security advisory (CVE-2024-1708 & CVE-2024-1709)

On 19-Feb-2024, ConnectWise released a security advisory for all organizations using their ScreenConnect software on-premises offering for versions 23.9.7 and prior for a remote code execution vulnerability. Additionally, one of the described vulnerabilities was added to CISA’s Known Exploited Vulnerability catalog on 22-Feb-2024.

Upon assessing the Appian platform against all details of the CVE, we can confirm that the Appian platform is not impacted by the vulnerabilities described in the ConnectWise security advisory. We will continue to monitor the situation and provide any updates as appropriate.

Additional Notes

The following CVEs were released with additional information on the scope of the vulnerability:

• CVE-2024-1708 (“Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')”)
• CVE-2024-1709 (“ConnectWise ScreenConnect Authentication Bypass Vulnerability”)
  
  

Supporting Documentation

• https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Affected Versions

This article applies to all supported versions of Appian.

Last reviewed: Feb 26, 2024