What is ConnectWise ScreenConnect?
ConnectWise ScreenConnect (formerly Control) is a widely deployed remote desktop and support platform used by thousands of Managed Service Providers (MSPs) and enterprise IT teams worldwide. It enables technicians to remotely access, diagnose, and control endpoints across client networks — typically running with elevated system privileges on every machine it manages.
This makes ScreenConnect an extremely high-value target: compromising a single ScreenConnect server can provide attackers with administrative access to every endpoint that server manages, across every client organization the MSP serves. A single breach can cascade into dozens of downstream victims.
Overview
CVE-2024-1708 is a path traversal (Zip Slip) vulnerability in ConnectWise ScreenConnect's extension upload mechanism. It was disclosed on February 19, 2024 alongside the more critical CVE-2024-1709 (CVSS 10.0 authentication bypass). Together, the two vulnerabilities form the "SlashAndGrab" attack chain — one of the most rapidly and widely exploited remote access software vulnerabilities of 2024.
While CVE-2024-1708 alone requires administrative credentials, chaining it with CVE-2024-1709 gives any unauthenticated internet-facing attacker full remote code execution as SYSTEM on the ScreenConnect server.
The SlashAndGrab Attack Chain
The two CVEs work in sequence:
| Step | CVE | Action |
|---|---|---|
| 1 | CVE-2024-1709 (CVSS 10.0) | Authentication bypass — attacker accesses the Setup Wizard on an already-configured instance, overwrites the internal user database, and creates a new admin account |
| 2 | CVE-2024-1708 (CVSS 8.4) | Admin-level Zip Slip — attacker uploads a malicious extension .zip file, which extracts crafted files outside the intended directory and into the web root, achieving remote code execution as SYSTEM |
Huntress researchers confirmed a working proof-of-concept exploit on the same day ConnectWise published the advisory (February 19, 2024), and observed active exploitation in the wild by February 23.
Affected Versions
| Status | Version |
|---|---|
| Vulnerable | ScreenConnect 23.9.7 and all prior versions (on-premises) |
| Fixed | ScreenConnect 23.9.8 |
| Cloud-hosted | Automatically patched by ConnectWise — no action required |
Technical Details
Root cause: ConnectWise ScreenConnect allows administrators to upload extensions as .zip archives. Vulnerable versions failed to validate filenames within the zip archive, permitting directory traversal sequences (e.g., ../../) in the embedded file paths.
This is a classic Zip Slip attack (CWE-22): when the server extracts the malicious archive, crafted file paths cause files to be written outside the intended App_Extensions subdirectory — including into the web root. An attacker can plant a web shell in the web root that executes as the ScreenConnect service account (typically SYSTEM).
Attack characteristics:
- Requires admin-level access to the Extensions upload feature (PR:H in CVSS)
- Admin access trivially obtained via CVE-2024-1709 auth bypass
- Payload executes as SYSTEM — highest privilege on Windows
- Network-accessible from the internet on the ScreenConnect port (default TCP 8040)
Discovery
The vulnerabilities were reported to ConnectWise through their vulnerability disclosure channel on February 13, 2024. The reporter is not publicly attributed. ConnectWise published the advisory and patches six days later on February 19.
Exploitation Context
Exploitation began immediately after public disclosure, with Huntress, Arctic Wolf, and Censys all observing active attacks within days.
Exposure at disclosure:
- ~8,200 vulnerable ScreenConnect instances identified by Shadowserver at peak
- ~6,000 vulnerable IPv4 hosts identified by Censys on February 19, 2024
- Dropped to ~3,434 by February 27 as organizations patched
Post-exploitation activity observed:
- LockBit ransomware (LB3.exe compiled from leaked builder) deployed across victim networks
- Cobalt Strike beacons for persistent C2
- Cryptocurrency miners (XMRig) deployed via transfer.sh
- SimpleHelp RMM installed as secondary backdoor
- SSH tunnels and additional remote access tools
- New privileged user accounts created for persistence
- WMI Event Consumer subscriptions and scheduled tasks for persistence
Multiple independent threat actors exploited the vulnerabilities in parallel, each with different post-exploitation toolsets. CERT-style threat intelligence from Huntress identified at least one group (185.62.58[.]132) conducting systematic automated reconnaissance across multiple victim networks simultaneously.
Why Was This Added to KEV in April 2026?
CISA added companion vulnerability CVE-2024-1709 to the KEV catalog on February 22, 2024 — just three days after disclosure. However, CVE-2024-1708 was not added until April 28, 2026, more than two years later.
This delayed addition indicates that CISA received fresh evidence of in-the-wild exploitation of the path traversal flaw specifically in 2026 — likely in ongoing campaigns or post-compromise activity at federal agencies, triggering the separate KEV listing and BOD 22-01 remediation deadline for this CVE.
Organizations that patched for CVE-2024-1709 in 2024 should confirm they are running ScreenConnect 23.9.8 or later, which addresses both CVEs.
Remediation
- Upgrade to ScreenConnect 23.9.8 or later — the only complete fix for both CVE-2024-1708 and CVE-2024-1709. Download from the ConnectWise Partner Portal.
- Verify your cloud-hosted instance is patched — ConnectWise auto-patched cloud instances, but confirm you are on 23.9.8+ in the admin panel.
- Audit installed extensions for any unauthorized additions made by attackers prior to patching. Remove unknown extensions immediately.
- Hunt for post-exploitation indicators: new local admin accounts, unknown scheduled tasks, WMI subscriptions, unfamiliar processes, lateral movement from the ScreenConnect server.
- Restrict network access to the ScreenConnect admin interface — do not expose it directly to the internet without IP allowlisting or VPN enforcement.
- If you are an MSP, treat all downstream client endpoints managed by the compromised server as potentially affected and investigate accordingly.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-1708 |
| Vendor / Product | ConnectWise — ScreenConnect |
| NVD Published | 2024-02-21 |
| NVD Last Modified | 2026-04-28 |
| CVSS 3.1 Score | 8.4 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) |
| CISA KEV Added | 2026-04-28 |
| CISA KEV Deadline | 2026-05-12 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-02-13 | Vulnerability reported to ConnectWise via responsible disclosure channel |
| 2024-02-19 | ConnectWise advisory published; ScreenConnect 23.9.8 released; active exploitation observed immediately |
| 2024-02-22 | CISA added companion vulnerability CVE-2024-1709 to KEV catalog |
| 2024-02-23 | Huntress confirmed active post-exploitation: LockBit ransomware, Cobalt Strike, cryptocurrency miners deployed across victim networks |
| 2026-04-28 | CVE-2024-1708 added to CISA Known Exploited Vulnerabilities catalog |
| 2026-05-12 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2024-1708 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| ConnectWise Security Bulletin — ScreenConnect 23.9.8 | Vendor Advisory / Patch |
| Huntress — A Catastrophe for Control: Understanding the ScreenConnect Authentication Bypass | Security Research |
| Huntress — SlashAndGrab: ScreenConnect Post-Exploitation in the Wild | Security Research |
| Censys — ConnectWise ScreenConnect Exposure Analysis | Security Research |
| Palo Alto Unit 42 — ConnectWise Threat Brief | Security Research |
| CWE-22 — Path Traversal | Weakness Classification |