CVE-2024-1708 Vulnerability
Published:02/20/2026
Written by: Nadine Rozell
CVEs are Common Vulnerabilities and Exposures - unique identifiers assigned to publicly known cybersecurity vulnerabilities.
CVE-2024-1708 is a high-severity path traversal vulnerability in ConnectWise ScreenConnect (now ConnectWise Access). It is widely known as the second half of the devastating "SlashAndGrab" exploit chain.
While CVE-2024-1709 allows attackers to bypass authentication, CVE-2024-1708 is the mechanism that delivers the payload. It allows an attacker (or a compromised admin) to overwrite critical files on the server, leading to full Remote Code Execution (RCE).
This page breaks down the mechanics of this "Zip Slip" vulnerability, how it fueled massive ransomware campaigns, and how to ensure your specific instance is secure.
What is CVE-2024-1708 vulnerability?
CVE-2024-1708 is a Path Traversal vulnerability, specifically a "Zip Slip" flaw, within the ScreenConnect extension handling mechanism.
Normally, when a user uploads an extension (a .zip file), the server should extract the contents only into a safe, designated subdirectory. However, vulnerable versions of ScreenConnect failed to validate filenames within the zip archive.
An attacker can craft a malicious extension containing files with directory traversal characters (e.g., ../../malware.exe). When the server processes this file, it blindly follows these instructions and writes the attacker's file outside the intended folder—often dropping a webshell directly into the application's root directory to gain system-level control.
When was it discovered?
The vulnerability was publicly disclosed by ConnectWise on February 19, 2024, alongside the authentication bypass (CVE-2024-1709).
Huntress researchers immediately analyzed the patch and successfully recreated the exploit chain on the same day, identifying active exploitation in the wild shortly thereafter.
CVE-2024-1708 technical description
The vulnerability exists in the ZipDirectory.ExtractToDirectory method used by the application to install extensions.
In unpatched versions, the code iterated through files in an uploaded .zip archive and wrote them to disk without checking if the file path contained "dot-dot-slash" (../) sequences.
Attackers exploit this by creating a zip file where the internal file structure looks like this:
../../../../../../../Windows/Temp/malware.exe or ../App_Extensions/webshell.aspx.
When the ScreenConnect server (running with SYSTEM privileges) extracts this, it unknowingly writes the file to the sensitive location specified by the attacker. This allows them to place executable code (like an ASPX shell) in a web-accessible directory, which they then visit to execute commands.
Tactics, techniques & procedures (TTPs)
CVE-2024-1708 is rarely used alone; it is almost always chained with the authentication bypass (CVE-2024-1709).
Initial Access: Attackers use CVE-2024-1709 to create a new administrator account (often named admin or flash).
Execution (CVE-2024-1708): Using their new admin access, they upload a "poisoned" extension via the "Extensions" menu. This triggers the Zip Slip vulnerability.
Payloads:
Webshells: Simple .aspx or .ashx shells dropped into C:\Program Files (x86)\ScreenConnect\App_Extensions\.
Ransomware: Major groups like LockBit, Black Basta, and Play used this access to deploy encryptors immediately.
Tools: Deployment of Cobalt Strike beacons and remote access trojans (RATs) like XWorm and AsyncRAT.
Indicators of compromise
Defenders should look for artifacts left by the "Zip Slip" extraction:
Suspicious Files in Root: Executable files (.exe, .dll) or scripts (.aspx, .ashx, .ps1) found directly in C:\Program Files (x86)\ScreenConnect\App_Extensions\ or App_ClientConfig. Legitimate extensions usually reside in their own GUID-named subdirectories.
Malicious Extensions: Review the "Extensions" list in the ScreenConnect dashboard for unrecognized plugins, often with generic names or blank descriptions.
Log Entries: IIS logs showing POST requests to /Services/ExtensionService.ashx/InstallExtension followed immediately by GET requests to strange .aspx files.
Known proof-of-concepts & exploits
The exploit is trivial and widely available.
Huntress and other researchers released technical analysis (coining the term "SlashAndGrab") that demonstrated how easily these vulnerabilities could be weaponized. Because the exploit requires no advanced coding—just a modified URL and a zip file—it was rapidly adopted by low-sophistication attackers and advanced persistent threats (APTs) alike.
How to detect CVE-2024-1708 vulnerability?
Version Check: The most reliable detection is checking the version number in the ScreenConnect login page footer. Anything below 23.9.8 is vulnerable.
File System Monitoring: Configure Managed EDR to alert on file writes to the ScreenConnect App_Extensions directory that do not match the expected subdirectory structure.
Web Log Analysis: Scan IIS logs for the string /SetupWizard.aspx/ (indicating the auth bypass used to facilitate this attack).
Impact & risk of CVE-2024-1708 vulnerability
The risk is Critical.
ScreenConnect is a Remote Monitoring and Management (RMM) tool, meaning it has administrative control over other endpoints. Compromising the ScreenConnect server via CVE-2024-1708 often gives the attacker a "god mode" ability to push malware to every single client device managed by that server.
This "supply chain" effect allows a single exploit to turn into a mass-ransomware event affecting hundreds or thousands of downstream endpoints.
Mitigation & remediation strategies
Patch Immediately: Update your on-premise ScreenConnect server to version 23.9.8 or later. ConnectWise has removed license restrictions to allow all users to upgrade.
Isolate Compromised Servers: If you find evidence of exploitation (e.g., unknown admin accounts), assume the server is fully compromised. Do not just patch it; rebuild it from a known clean backup to ensure no backdoors remain.
Restrict Access: As a best practice, place the ScreenConnect administrative interface behind a VPN or restrict access to trusted IP addresses to prevent future exploitation of web interface vulnerabilities.
CVE-2024-1708 Vulnerability FAQs
Protect What Matters
