ConnectWise ScreenConnect versions 23.9.7 and prior contain a CWE-22 path traversal vulnerability that improperly limits pathname access to restricted directories. This flaw can be exploited by an attacker with high privileges and requiring user interaction to execute remote code or compromise confidentiality, integrity, and availability of affected systems. The CVSS 3.1 base score is 8.4, reflecting network attack vector, low attack complexity, required privileges, user interaction, and high impact on confidentiality, integrity, and availability. No patch or official remediation level has been disclosed by the vendor as of the publication date.

Successful exploitation could lead to remote code execution and unauthorized access to confidential data or critical systems, impacting confidentiality, integrity, and availability. The vulnerability requires high privileges and user interaction, which somewhat limits the attack surface but still poses a significant risk due to the potential impact.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the affected ScreenConnect versions and monitor for suspicious activity. Avoid running the software with unnecessary elevated privileges and limit user interaction vectors where possible.