Critical Vulnerabilities in ConnectWise ScreenConnect Exploited

Severity: High (Score: 72.9)

Sources: nvd.nist.gov, www.huntress.com

Summary

ConnectWise ScreenConnect versions 23.9.7 and prior are affected by two critical vulnerabilities: CVE-2024-1708, a path traversal flaw, and CVE-2024-1709, an authentication bypass. CVE-2024-1708 allows attackers to execute arbitrary code by overwriting critical files on the server, while CVE-2024-1709 enables unauthorized access to systems. Both vulnerabilities were disclosed on February 21, 2024, with CVE-2024-1709 being actively exploited shortly thereafter. The vulnerabilities are part of the 'SlashAndGrab' exploit chain, with CVE-2024-1708 facilitating the execution of malicious payloads. Huntress researchers confirmed active exploitation of these vulnerabilities in the wild. Organizations using unpatched versions of ScreenConnect are at significant risk, with a patch available for affected systems. The vulnerabilities were added to CISA's Known Exploited Vulnerabilities catalog on April 28, 2026, indicating ongoing active exploitation. Key Points: • CVE-2024-1708 allows remote code execution via path traversal in ScreenConnect. • CVE-2024-1709 enables authentication bypass, facilitating unauthorized access. • Both vulnerabilities are actively exploited; immediate patching is essential.

Key Entities

• Data Breach (attack_type)
• Malware (attack_type)
• Ransomware (attack_type)
• SlashAndGrab (campaign)
• ConnectWise (company)
• CVE-2024-1708 (cve)
• CVE-2024-1709 (cve)
• CWE-22 - Path Traversal (cwe)
• CWE-287 - Improper Authentication (cwe)
• AsyncRAT (malware)
• Cobalt Strike (malware)
• XWorm (malware)
• T1136.001 - Local Account (mitre_attack)
• T1505.003 - Web Shell (mitre_attack)
• IIS (platform)
• Windows (platform)
• ScreenConnect (tool)
• Black Basta (ransomware_group)
• Lockbit (ransomware_group)
• Play (ransomware_group)
• Zip Slip (vulnerability)