CISA Just Flagged ScreenConnect: 5 Questions to Ask Your IT Provider

On April 28, 2026, CISA added ConnectWise ScreenConnect (CVE-2024-1708) to its Known Exploited Vulnerabilities catalog after confirming active exploitation by threat actors deploying Medusa ransomware. The vulnerability was patched in February 2024. Over two years later, attackers are still finding unpatched ScreenConnect servers and using them to access client networks. If your IT provider uses remote access tools to manage your systems, this is a conversation you need to have with them this week.

What RMM Tools Are and Why They Matter to You

Remote Monitoring and Management (RMM) tools are software platforms that IT providers install on your servers and workstations to monitor, patch, and troubleshoot your systems remotely. ConnectWise ScreenConnect, Datto, NinjaOne, and similar products are standard across the managed IT industry. Every MSP uses at least one of these tools to deliver support without having to physically sit at your desk.

From a business perspective, RMM tools are what make managed IT services cost-effective. They allow a team of technicians to support hundreds of endpoints across dozens of client networks from a central console. Your provider’s help desk, patching workflows, and monitoring all flow through this software.

The security implication is straightforward: if an attacker compromises your IT provider’s RMM platform, they gain the same access your provider has. That means administrative control over every server and workstation the tool manages. One compromised RMM server can give an attacker a direct tunnel into dozens or hundreds of client networks simultaneously.

The ScreenConnect Exploitation Timeline

CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect that allows remote code execution on unpatched servers. ConnectWise released a patch in February 2024 and urged all customers to update immediately. The timeline since then shows why patching alone isn’t a complete strategy when it comes to IT supply chain tools:

• February 2024: ConnectWise patches CVE-2024-1708 and CVE-2024-1709 (authentication bypass). Security researchers begin publishing proof-of-concept exploits within days.
• March 2024 onward: Multiple threat actors begin exploiting unpatched ScreenConnect instances. CISA, the FBI, and HHS issue joint advisories warning healthcare organizations in particular.
• 2025-2026: Microsoft Threat Intelligence links ongoing exploitation to Storm-1175, a China-linked threat actor using compromised ScreenConnect servers to deploy Medusa ransomware against targets in multiple sectors.
• April 28, 2026: CISA formally adds CVE-2024-1708 to the KEV catalog, setting a May 12, 2026 remediation deadline for all federal agencies and contractors.

The pattern is clear: a vulnerability that was patched over two years ago is still being actively exploited because too many organizations never applied the fix. For business owners, this raises an uncomfortable question. You trust your IT provider to patch your systems. But who patches theirs?

Why RMM Tools Are High-Value Targets

Attackers target RMM platforms for the same reason bank robbers target armored trucks rather than individual wallets. The return on investment is massively higher. A single compromised RMM server gives an attacker:

• Access to every client network that provider manages through that server
• Administrative privileges on managed endpoints, since RMM agents typically run with system-level permissions
• Trusted communication channels that bypass most security tools, because the traffic looks like normal IT management activity
• Deployment capabilities to push malware, ransomware, or credential-harvesting tools to hundreds of machines with a single action

This is supply chain risk in its most direct form. You may have strong endpoint detection on your workstations, enforce MFA on your applications, and train your employees to spot phishing. But if your IT provider’s management console gets compromised, the attacker arrives through a trusted channel that your security tools are designed to allow.

The Storm-1175 campaigns that prompted the CISA KEV addition used exactly this approach. The group compromised ScreenConnect servers belonging to IT providers, then used those servers’ existing agent connections to deploy Medusa ransomware directly onto client machines without triggering the usual detection mechanisms.

5 Questions to Ask Your IT Provider This Week

You don’t need to understand the technical details of CVE-2024-1708 to have this conversation. You need to know whether your provider treats their own tooling with the same urgency they bring to your systems. Here are five questions to ask:

1. What remote access tools do you use on our network, and are they fully patched?

Your provider should be able to name every RMM and remote access tool installed on your systems and confirm the current version. If they use ScreenConnect, ask specifically whether they’ve patched to a version released after February 2024. If they can’t answer immediately, that’s a red flag.

2. Do you enforce multi-factor authentication on your RMM platform?

MFA on the management console is table stakes. If a technician’s credentials get phished or leaked in a breach, MFA is the barrier between that credential and access to every client network. Ask whether MFA is enforced for all technician accounts, not just recommended.

3. Do you limit which technicians can access our specific systems?

Role-based access control matters. Not every technician on your provider’s team should have unrestricted access to every client’s environment. Ask whether your provider uses least-privilege access, where technicians only get access to the specific systems they need to support.

4. Do you monitor for anomalous remote sessions on our systems?

Normal remote support sessions follow patterns: business hours, known technician accounts, expected durations. An attacker using a compromised RMM tool will create sessions outside those patterns. Ask whether your provider monitors for unusual session activity and whether their SOC would flag a 2 AM remote session from an unfamiliar account.

5. Do you have an incident response plan if your own tools get compromised?

This is the question most providers haven’t thought through. Everyone has a plan for when a client gets breached. Fewer have a plan for when their own management infrastructure is the attack vector. Ask your provider what they would do, specifically, if they discovered their RMM platform had been compromised. How would they notify you? How quickly? What containment steps would they take?

What Good Answers Look Like

A mature IT provider should be able to answer all five questions without hesitation. They should know exactly which tools run on your systems, confirm they patch their own infrastructure on the same aggressive timeline they use for yours, and demonstrate that they’ve thought through the scenario where their tools become the attack vector.

If your provider gets defensive, deflects, or can’t provide specifics, it’s worth escalating the conversation. You’re not questioning their competence; you’re asking them to demonstrate the same security discipline they expect from you when they recommend cybersecurity training or endpoint protection.

The CISA KEV deadline of May 12 adds urgency for any organization doing business with the federal government or defense contractors pursuing CMMC compliance. But even if you’re outside that mandate, an actively exploited vulnerability in a tool that has administrative access to your network is something that demands immediate confirmation from your provider.

The Broader Lesson: Supply Chain Risk Is Your Risk

The ScreenConnect situation illustrates a category of risk that most SMB leaders don’t think about until it affects them directly. Your security posture is only as strong as the weakest link in your supply chain, and your IT provider’s internal tooling is part of that chain.

This doesn’t mean you should distrust managed IT. The alternative, managing everything in-house without the tools and expertise an MSP brings, creates different and often larger gaps. It means you should treat your IT provider’s security practices as part of your own risk management, the same way you’d evaluate a payroll processor’s data protection or a cloud vendor’s certifications.

Ask the questions. Expect clear answers. Make it part of your annual provider review.