CVE-2024-1709 Explained: ConnectWise ScreenConnect Authentication Bypass (CVSS 10.0)
A path traversal authentication bypass in ConnectWise ScreenConnect — dubbed SlashAndGrab — that allows an unauthenticated attacker to run the setup wizard and create a new admin account, instantly compromising all managed endpoints.
CVE-2024-1709 is a CVSS 10.0 authentication bypass in ConnectWise ScreenConnect, the remote monitoring and management platform used by MSPs and IT teams to remotely administer client endpoints. Dubbed SlashAndGrab by Huntress researchers, the vulnerability bypasses authentication with a single trailing slash added to the setup wizard URL, allowing any unauthenticated user to create a new administrator account on a fully configured ScreenConnect instance.
ConnectWise disclosed the vulnerability on February 19, 2024. Mass exploitation by ransomware groups began within 48 hours. The attack surface is particularly dangerous in MSP environments: a single compromised ScreenConnect server provides authenticated remote access to every endpoint under management — potentially thousands of machines across multiple client organisations.
How CVE-2024-1709 Works: One Slash Bypasses Authentication
After ScreenConnect is initially configured, the setup wizard (/SetupWizard.aspx) is locked behind authentication — navigating to it redirects unauthenticated users to the login page. This restriction is implemented in the authentication middleware.
The bypass is a URL parsing inconsistency. When the URL contains an additional trailing slash — /SetupWizard.aspx/ — the middleware evaluates the path differently and does not apply the authentication requirement. The setup wizard then renders fully for the unauthenticated user, allowing them to create new administrator credentials as if performing a fresh installation.
With a new admin account, the attacker authenticates to the ScreenConnect admin panel and has full control: deploying software to any managed endpoint, initiating remote sessions, executing commands on any managed machine, and accessing stored credentials for managed environments.
Identify internet-exposed ScreenConnect servers
Scan for ScreenConnect login pages. The portal is identifiable by its banner and SSL certificate. Many on-premises deployments are internet-accessible for MSP remote access use cases.
Navigate to setup wizard with trailing slash
Request /SetupWizard.aspx/ (with trailing slash). The authentication middleware does not apply its check, and the setup wizard renders as if the server is unconfigured.
Create a new administrator account
Complete the setup wizard form, specifying a new admin username and password. ScreenConnect creates the account with full administrative privileges. The attacker now has legitimate admin credentials.
Log in and access all managed endpoints
Authenticate to the ScreenConnect admin panel. View and initiate sessions to all managed endpoints. Deploy software, execute commands, or install backdoors on any or all managed machines.
Deploy ransomware or persistence across managed fleet
Use ScreenConnect's file transfer and command execution capabilities to push malware across all managed endpoints simultaneously. Ransomware groups used this to achieve mass encryption across entire MSP client rosters.
Exploitation Timeline and Ransomware Impact
The exploitation window was extremely short. ConnectWise published the advisory on February 19, 2024 alongside the patched version 23.9.8. By February 21 — 48 hours later — Huntress documented active exploitation including ScreenConnect sessions being used to push Cobalt Strike beacons, web shells, and ransomware staging scripts across managed endpoints.
Multiple ransomware groups exploited CVE-2024-1709, including Black Basta and LockBit affiliates. The operational appeal is clear: instead of compromising one organisation at a time, a single unpatched MSP ScreenConnect server provides simultaneous access to every client the MSP manages. An attacker who compromised a mid-sized MSP's ScreenConnect server could potentially deploy ransomware across dozens of separate organisations in a single operation.
SOPHOS documented post-exploitation activity including deployment of ScreenConnect agents as a secondary persistence mechanism — attackers installed their own legitimate ScreenConnect sessions alongside the compromised admin account to maintain access even after credentials were reset.
“The vulnerability is trivially exploitable with a simple HTTP request. We observed threat actors moving from initial access to deployed Cobalt Strike within hours of gaining control of a ScreenConnect server.”
— Huntress SlashAndGrab analysis, February 2024
Patching and Remediating CVE-2024-1709
The fix requires upgrading to ScreenConnect 23.9.8. Post-patch remediation for exposed instances requires audit of both the ScreenConnect server and all managed endpoints.
Upgrade to ScreenConnect 23.9.8 immediately
On-premises deployments must be manually upgraded. Navigate to Administration > Updates and apply the 23.9.8 package, or download directly from ConnectWise. Cloud-hosted instances were automatically updated. Verify the upgrade by checking the version in Administration > General.
Audit all ScreenConnect administrator accounts
Review the full administrator account list in the ScreenConnect admin panel. Remove any accounts not created by your team. Pay attention to accounts created around the exploitation window (February 19–22, 2024). Reset credentials for all legitimate admin accounts.
Review ScreenConnect session logs for unauthorized access
Check the ScreenConnect session log for remote sessions initiated by the attacker account. Identify which managed endpoints were accessed. Each accessed endpoint requires individual investigation for malware deployment.
Investigate accessed managed endpoints for compromise
For every endpoint reached via attacker ScreenConnect sessions: check for new scheduled tasks, new user accounts, installed software, dropped files in temp directories, and persistence mechanisms. Deployed Cobalt Strike beacons are a confirmed post-exploitation tool used in CVE-2024-1709 campaigns.
Restrict ScreenConnect to non-public networks
ScreenConnect should be accessible only via VPN or from allowlisted IP ranges. Internet-facing ScreenConnect deployments amplify the impact of authentication vulnerabilities by exposing them to mass automated exploitation. Firewall restriction is the primary defence against future vulnerabilities of this class.
The bottom line
CVE-2024-1709 illustrates why MSP tooling is a high-priority target for ransomware groups. A single vulnerability in a remote access platform deployed by a service provider results in simultaneous access to all managed clients — a force multiplier that transforms one server compromise into dozens or hundreds of organisational breaches. The economics for attackers are exceptional.
If your organisation uses an MSP that deploys ScreenConnect, you were at risk regardless of whether your own ScreenConnect deployment was patched. Ask your MSP whether their ScreenConnect instance was patched before exploitation began (February 19–21, 2024) and whether they have conducted endpoint investigation across their managed estate. The burden of due diligence falls on both parties.
Frequently asked questions
What is CVE-2024-1709 (SlashAndGrab)?
CVE-2024-1709 is a CVSS 10.0 authentication bypass in ConnectWise ScreenConnect. A trailing slash appended to the setup wizard URL (/SetupWizard.aspx/) bypasses the authentication middleware that normally blocks access to the setup page on an already-configured installation. An unauthenticated attacker can then run the setup wizard to create a new administrator account, gaining full control of the ScreenConnect server and all managed endpoints.
Why is a ScreenConnect compromise particularly dangerous?
ScreenConnect is a remote monitoring and management (RMM) platform used by MSPs (managed service providers) and IT teams to remotely control client endpoints. A compromised ScreenConnect server gives the attacker remote control over every computer managed through that server — potentially thousands of endpoints across multiple organisations. The attacker has the same access as a legitimate system administrator on every managed device.
Was CVE-2024-1709 exploited in the wild?
Yes, within 48 hours of ConnectWise's advisory. Huntress documented active exploitation including web shell deployment, Cobalt Strike installation, and ransomware staging. LockBit and Black Basta ransomware groups were confirmed exploiting CVE-2024-1709. CISA added it to the KEV catalog on February 22, 2024 with a federal remediation deadline of March 7, 2024.
How do I fix CVE-2024-1709?
Upgrade ScreenConnect to version 23.9.8 or later. ConnectWise Cloud-hosted ScreenConnect instances were automatically updated. On-premises deployments require manual upgrade. After patching, audit all administrator accounts, review connection logs for unexpected sessions, and check all managed endpoints for malware deployment via ScreenConnect sessions.
Is CVE-2024-1709 related to CVE-2024-1708?
Yes. CVE-2024-1708 is a path traversal vulnerability in ScreenConnect (CVSS 8.4) disclosed alongside CVE-2024-1709 in the same advisory. CVE-2024-1708 allows an authenticated attacker to write files outside the intended directory. The two vulnerabilities are often discussed together, but CVE-2024-1709 is the more critical because it requires no authentication.
Sources & references
- NVD
- ConnectWise Security Advisory — ScreenConnect 23.9.8
- Huntress — SlashAndGrab: ScreenConnect Post-Exploitation in the Wild
- CISA Known Exploited Vulnerabilities Catalog
- Sophos X-Ops — ScreenConnect CVE-2024-1709 Under Active Exploitation
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.