Connect with us

Hi, what are you looking for?


Malware & Threats

‘SlashAndGrab’ ScreenConnect Vulnerability Widely Exploited for Malware Delivery

ConnectWise ScreenConnect vulnerability tracked as CVE-2024-1709 and SlashAndGrab exploited to deliver ransomware and other malware.

ConnectWise vulnerability exploited

A critical vulnerability affecting ConnectWise’s ScreenConnect remote desktop access product has been widely exploited to deliver ransomware and other types of malware.

ConnectWise notified customers on February 19 that it had released patches for a critical authentication bypass flaw and a high-severity path traversal issue. The security holes did not have CVE identifiers at the time.

The next day, the company warned that it had become aware of in-the-wild exploitation attempts. 

CVE identifiers have now been assigned to both vulnerabilities: CVE-2024-1709 to the authentication bypass and CVE-2024-1708 to the path traversal bug. 

Threat detection and response firm Huntress, which dubbed the flaws SlashAndGrab, disclosed technical details on February 21, after a proof-of-concept (PoC) exploit had already become available.  

The authentication bypass vulnerability allows an attacker to create a new account that has administrator privileges. The path traversal can then be exploited for arbitrary code execution. 

There are several reports of widespread exploitation of CVE-2024-1709, but it’s unclear if CVE-2024-1708 is being exploited as well. 

Huntress reported seeing SlashAndGrab being exploited to deliver LockBit ransomware, Cobalt Strike, SSH tunnels, remote management tools, and cryptocurrency miners. Victims identified by the company include local governments, emergency systems, and healthcare organizations. 

Advertisement. Scroll to continue reading.

Sophos also reported seeing the delivery of the LockBit ransomware, which is interesting considering that the cybercrime enterprise was recently targeted in a highly disruptive law enforcement operation. 

“Despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running,” Sophos said.

The cybersecurity firm has also seen the delivery of AsyncRAT, various infostealers, and SimpleHelp remote access software via the exploitation of the ScreenConnect vulnerability. 

Non-profit cybersecurity organization The Shadowserver Foundation reported finding more than 8,200 internet-exposed and vulnerable instances of ScreenConnect as of February 21. The highest percentage of vulnerable instances was in the United States, followed by Canada and the United Kingdom.

“CVE-2024-1709 is widely exploited in the wild — 643 IPs seen attacking to date by our sensors,” Shadowserver said. 

CISA has added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog, noting that the agency is aware of exploitation in ransomware attacks. 

Related: CISA Urges Patching of Cisco ASA Flaw Exploited in Ransomware Attacks

Related: Microsoft Warns of Exploited Exchange Server Zero-Day

Related: Windows Zero-Day Exploited in Attacks on Financial Market Traders

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.