ConnectWise ScreenConnect, auth bypass via path normalization (SlashAndGrab)

Overview

CVE-2024-1709, nicknamed "SlashAndGrab," is a critical authentication bypass vulnerability in ConnectWise ScreenConnect (now ConnectWise Control), one of the most widely deployed Remote Monitoring and Management (RMM) tools used by Managed Service Providers (MSPs). The flaw allows an unauthenticated network attacker to bypass authentication entirely and gain administrative access to the ScreenConnect server, resulting in complete system takeover.

The vulnerability was disclosed on February 19, 2024, and mass exploitation began within 48 hours. CISA added CVE-2024-1709 to the Known Exploited Vulnerabilities (KEV) catalog on the same day as disclosure, reflecting the severity and active exploitation observed in the wild.

Technical Details

The vulnerability stems from inconsistent path normalization between the URL routing mechanism and the authentication layer in ScreenConnect's web application. By crafting a request to /SetupWizard.aspx/ followed by any arbitrary path suffix (e.g., /SetupWizard.aspx/anything), an attacker can reach the first-run installation wizard on a fully configured, production ScreenConnect server-even one that has been operational for years.

This endpoint allows the attacker to create a new administrator account without any authentication. Once administrative access is obtained, the attacker can leverage ScreenConnect's legitimate functionality to deploy payloads to all connected endpoints, as the ScreenConnect agent typically runs with LocalSystem privileges.

Impact

The impact of this vulnerability is catastrophic, particularly for MSPs. A compromised ScreenConnect server grants attackers root-level access to every endpoint the MSP manages-including laptops, file servers, hypervisors, and domain controllers. The blast radius encompasses the MSP's entire customer base.

Multiple ransomware groups including Black Basta, Bl00dy, Play, and BianLian were observed actively exploiting this vulnerability during February-March 2024. Hundreds of MSPs were reportedly compromised. Security firms Huntress, Sophos, and Mandiant tracked at least four distinct threat actor groups leveraging this attack chain.

Mitigation

1. Upgrade immediately to ConnectWise ScreenConnect version 23.9.8 or later. There is no functional workaround for this vulnerability.
2. Audit the User Manager (Administrative → User → User Manager) for unfamiliar administrator accounts created after February 13, 2024.
3. Pull and review session recordings from the exposure window to identify suspicious remote sessions.

Detection

1. Review ScreenConnect web server logs for requests containing /SetupWizard.aspx/ with any path suffix-this pattern indicates exploitation attempts.
2. Monitor for newly created administrator accounts, particularly those created during the exploitation window.
3. Audit endpoint activity through ScreenConnect session recordings to identify unauthorized access or payload deployment.