ScreenConnect CVE-2024-1708: Medusa Ransomware Threat to SAMA Banks

On April 28, 2026, CISA added ConnectWise ScreenConnect CVE-2024-1708 to the Known Exploited Vulnerabilities catalog after confirming in-the-wild abuse by both Chinese financially motivated actor Storm-1175 and North Korean state-sponsored Kimsuky. With a federal remediation deadline of May 12, 2026, and Medusa ransomware affiliates already weaponizing the flaw against MSPs, the threat extends directly into the remote access stack used by Saudi financial institutions and their third-party support vendors.

What CVE-2024-1708 Actually Does

CVE-2024-1708 is a path-traversal "Zip Slip" defect in the ScreenConnect extension handling mechanism, scoring 8.4 on CVSS. Vulnerable versions failed to validate filenames inside uploaded zip archives, so an attacker who can authenticate as an extension manager — or who chains the flaw with the unauthenticated CVE-2024-1709 (CVSS 10.0) — can drop arbitrary files anywhere on the host, typically a webshell into the ScreenConnect application root. Once the webshell is live, the operator owns the management server, and through it every endpoint where the ScreenConnect agent is installed.

Why Storm-1175 and Kimsuky Picked This Target

Microsoft Threat Intelligence attributes a high-tempo Medusa ransomware campaign to Storm-1175, a China-based group that has repeatedly weaponized public-facing flaws within 24 hours of disclosure. The group uses ScreenConnect access for lateral movement via PDQ Deployer, then pushes Medusa payloads across all reachable endpoints in a single sweep. Kimsuky's track record is different but the entry point is the same: the group leverages CVE-2024-1708 to deploy ToddlerShark, a polymorphic loader that abuses signed Microsoft binaries, modifies Defender and SmartScreen registry keys, and persists through scheduled tasks for long-running intelligence collection. CISA, FBI, and MS-ISAC have together attributed Medusa-related intrusions to over 300 critical infrastructure victims across the United States, with financial services prominent among them.

Impact on Saudi Financial Institutions

ConnectWise ScreenConnect is widely used in Saudi Arabia by IT outsourcers, branch support vendors, ATM service partners, and managed security providers — exactly the third parties that touch SAMA-regulated environments. SAMA Cyber Security Framework v1.0 control 3.3.14 (Cyber Security Standards for Third Parties) and the broader CSCC requirements demand documented assurance that vendor remote access tooling is patched, segmented, and monitored. NCA ECC subdomain 2-6 (Networks Security) and 2-7 (Mobile Devices Security), together with subdomain 4 (Third-Party and Cloud Computing Cybersecurity), make the same expectation explicit. A compromised ScreenConnect management server inside an MSP gives an attacker a persistent foothold into multiple downstream banks simultaneously, turning a single supplier breach into a supervisory-grade incident under SAMA notification rules and a personal data exposure event under PDPL Article 21.

Detection and Containment Guidance

Patched builds are ScreenConnect 23.9.10.9001 and later for self-hosted instances; ConnectWise Cloud customers were updated automatically. Saudi CISOs should not stop at patching — Storm-1175 is known to leave webshells and scheduled-task persistence even after the vulnerability is closed. Hunt for unexpected files under the App_Extensions directory, anomalous PowerShell invocations launched by ScreenConnect.WindowsBackend.exe, and outbound connections to known Medusa command-and-control infrastructure. Pair this with Sysmon Event ID 1 baselines and EDR rules tuned for ToddlerShark's living-off-the-land behaviors.

Recommended Actions for SAMA-Regulated Entities

1. Inventory every ConnectWise ScreenConnect instance — including those hosted by managed service providers — and confirm the patch level is at or above 23.9.10.9001 within 72 hours.
2. Issue a formal request under your SAMA-aligned vendor risk program asking each MSP to attest in writing that CVE-2024-1708 and CVE-2024-1709 are remediated, with timestamped evidence.
3. Threat-hunt for indicators of compromise published by Microsoft, Huntress, and CISA covering Storm-1175, Medusa, and Kimsuky's ToddlerShark loader across the last 90 days.
4. Restrict ScreenConnect management consoles behind privileged access workstations and require phishing-resistant MFA, mapping the control to NCA ECC 2-2-3 (Multi-Factor Authentication).
5. Update your incident response playbook to treat any ScreenConnect anomaly as a presumed breach and trigger SAMA notification timelines under the Cyber Incident Reporting Standard.
6. Validate that immutable backups exist for core banking, SWIFT-adjacent systems, and ATM management — Medusa's standard playbook is to delete shadow copies before encryption.

Conclusion

CVE-2024-1708 is the canonical example of why third-party remote access is now a board-level cybersecurity risk in the Saudi financial sector. The same tool that lets an outsourcer fix an ATM at 3 a.m. is the tool that lets Medusa encrypt the same ATM fleet at 3:05 a.m. Treat the May 12 CISA deadline as your internal floor, not your ceiling, and align the remediation evidence trail with what SAMA and NCA examiners will eventually ask to see.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that includes third-party remote access exposure mapping and Medusa-aligned threat hunting baselines.