CVE-2024-1709 Explained: ConnectWise ScreenConnect Authentication Bypass (CVSS 10.0)
A path traversal authentication bypass in ConnectWise ScreenConnect, dubbed SlashAndGrab, that allows an unauthenticated attacker to run the setup wizard and create a new admin account, instantly compromising all managed endpoints.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2024-1709 is a CVSS 10.0 authentication bypass in ConnectWise ScreenConnect, the remote monitoring and management platform used by MSPs and IT teams to remotely administer client endpoints. Dubbed SlashAndGrab by Huntress researchers, the vulnerability bypasses authentication with a single trailing slash added to the setup wizard URL, allowing any unauthenticated user to create a new administrator account on a fully configured ScreenConnect instance.
ConnectWise disclosed the vulnerability on February 19, 2024. Mass exploitation by ransomware groups began within 48 hours. The attack surface is particularly dangerous in MSP environments: a single compromised ScreenConnect server provides authenticated remote access to every endpoint under management, potentially thousands of machines across multiple client organisations.
How CVE-2024-1709 Works: One Slash Bypasses Authentication
After ScreenConnect is initially configured, the setup wizard (/SetupWizard.aspx) is locked behind authentication, navigating to it redirects unauthenticated users to the login page. This restriction is implemented in the authentication middleware.
The bypass is a URL parsing inconsistency. When the URL contains an additional trailing slash, /SetupWizard.aspx/, the middleware evaluates the path differently and does not apply the authentication requirement. The setup wizard then renders fully for the unauthenticated user, allowing them to create new administrator credentials as if performing a fresh installation.
With a new admin account, the attacker authenticates to the ScreenConnect admin panel and has full control: deploying software to any managed endpoint, initiating remote sessions, executing commands on any managed machine, and accessing stored credentials for managed environments.
Identify internet-exposed ScreenConnect servers
Scan for ScreenConnect login pages. The portal is identifiable by its banner and SSL certificate. Many on-premises deployments are internet-accessible for MSP remote access use cases.
Navigate to setup wizard with trailing slash
Request /SetupWizard.aspx/ (with trailing slash). The authentication middleware does not apply its check, and the setup wizard renders as if the server is unconfigured.
Create a new administrator account
Complete the setup wizard form, specifying a new admin username and password. ScreenConnect creates the account with full administrative privileges. The attacker now has legitimate admin credentials.
Log in and access all managed endpoints
Authenticate to the ScreenConnect admin panel. View and initiate sessions to all managed endpoints. Deploy software, execute commands, or install backdoors on any or all managed machines.
Deploy ransomware or persistence across managed fleet
Use ScreenConnect's file transfer and command execution capabilities to push malware across all managed endpoints simultaneously. Ransomware groups used this to achieve mass encryption across entire MSP client rosters.
Exploitation Timeline and Ransomware Impact
The exploitation window was extremely short. ConnectWise published the advisory on February 19, 2024 alongside the patched version 23.9.8. By February 21, 48 hours later, Huntress documented active exploitation including ScreenConnect sessions being used to push Cobalt Strike beacons, web shells, and ransomware staging scripts across managed endpoints.
Multiple ransomware groups exploited CVE-2024-1709, including Black Basta and LockBit affiliates. The operational appeal is clear: instead of compromising one organisation at a time, a single unpatched MSP ScreenConnect server provides simultaneous access to every client the MSP manages. An attacker who compromised a mid-sized MSP's ScreenConnect server could potentially deploy ransomware across dozens of separate organisations in a single operation.
SOPHOS documented post-exploitation activity including deployment of ScreenConnect agents as a secondary persistence mechanism, attackers installed their own legitimate ScreenConnect sessions alongside the compromised admin account to maintain access even after credentials were reset.
“The vulnerability is trivially exploitable with a simple HTTP request. We observed threat actors moving from initial access to deployed Cobalt Strike within hours of gaining control of a ScreenConnect server.”
Huntress SlashAndGrab analysis, February 2024
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Patching and Remediating CVE-2024-1709
The fix requires upgrading to ScreenConnect 23.9.8. Post-patch remediation for exposed instances requires audit of both the ScreenConnect server and all managed endpoints.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2024-1709 illustrates why MSP tooling is a high-priority target for ransomware groups. A single vulnerability in a remote access platform deployed by a service provider results in simultaneous access to all managed clients, a force multiplier that transforms one server compromise into dozens or hundreds of organisational breaches. The economics for attackers are exceptional.
If your organisation uses an MSP that deploys ScreenConnect, you were at risk regardless of whether your own ScreenConnect deployment was patched. Ask your MSP whether their ScreenConnect instance was patched before exploitation began (February 19–21, 2024) and whether they have conducted endpoint investigation across their managed estate. The burden of due diligence falls on both parties.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2024-1709 (SlashAndGrab)?
CVE-2024-1709 is a CVSS 10.0 authentication bypass in ConnectWise ScreenConnect. A trailing slash appended to the setup wizard URL (/SetupWizard.aspx/) bypasses the authentication middleware that normally blocks access to the setup page on an already-configured installation. An unauthenticated attacker can then run the setup wizard to create a new administrator account, gaining full control of the ScreenConnect server and all managed endpoints.
Why is a ScreenConnect compromise particularly dangerous?
ScreenConnect is a remote monitoring and management (RMM) platform used by MSPs (managed service providers) and IT teams to remotely control client endpoints. A compromised ScreenConnect server gives the attacker remote control over every computer managed through that server, potentially thousands of endpoints across multiple organisations. The attacker has the same access as a legitimate system administrator on every managed device.
Was CVE-2024-1709 exploited in the wild?
Yes, within 48 hours of ConnectWise's advisory. Huntress documented active exploitation including web shell deployment, Cobalt Strike installation, and ransomware staging. LockBit and Black Basta ransomware groups were confirmed exploiting CVE-2024-1709. CISA added it to the [KEV catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) on February 22, 2024 with a federal remediation deadline of March 7, 2024.
How do I fix CVE-2024-1709?
Upgrade ScreenConnect to version 23.9.8 or later. ConnectWise Cloud-hosted ScreenConnect instances were automatically updated. On-premises deployments require manual upgrade. After patching, audit all administrator accounts, review connection logs for unexpected sessions, and check all managed endpoints for malware deployment via ScreenConnect sessions.
Is CVE-2024-1709 related to CVE-2024-1708?
Yes. CVE-2024-1708 is a path traversal vulnerability in ScreenConnect (CVSS 8.4) disclosed alongside CVE-2024-1709 in the same advisory. CVE-2024-1708 allows an authenticated attacker to write files outside the intended directory. The two vulnerabilities are often discussed together, but CVE-2024-1709 is the more critical because it requires no authentication.
What post-exploitation activity followed CVE-2024-1709 ScreenConnect compromises?
Huntress and Sophos documented the following post-exploitation pattern: attackers created additional ScreenConnect agent sessions on managed endpoints as secondary persistence that survived credential resets, pushed Cobalt Strike beacons via ScreenConnect file transfer, and deployed custom malware droppers connecting to separate C2 infrastructure. In ransomware campaigns, attackers used ScreenConnect to push batch scripts that disabled Windows Defender (Set-MpPreference -DisableRealtimeMonitoring), terminated Veeam and backup processes, deleted Volume Shadow Copies (vssadmin delete shadows /all), and triggered encryption binaries simultaneously across the entire managed endpoint fleet.
Sources & references
- NVD
- ConnectWise Security Advisory, ScreenConnect 23.9.8
- Huntress, SlashAndGrab: ScreenConnect Post-Exploitation in the Wild
- CISA Known Exploited Vulnerabilities Catalog
- Sophos X-Ops, ScreenConnect CVE-2024-1709 Under Active Exploitation
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
