The analytic rule detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which facilitates an authentication bypass via non-standard channels or paths. Specifically, it monitors Nginx access logs for requests targeting the SetupWizard.aspx page. Such activities signal potential exploitation attempts that could result in unauthorized administrative access and remote code execution within a compromised ScreenConnect instance. The rule leverages HTTP POST requests with a status of 200 to filter legitimate traffic from malicious exploit attempts. If successfully exploited, attackers could potentially create unauthorized administrative users, resulting in severe security implications. Users are advised to remediate the vulnerability by upgrading to version 23.9.8 or later immediately.