★ 8/10 · Security · 2026-04-29

CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV

CISA has added two actively exploited vulnerabilities—affecting ConnectWise ScreenConnect and Microsoft Windows—to its Known Exploited Vulnerabilities (KEV) catalog. These additions follow confirmed reports of...

Captured 2026-04-29 08:46

CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV

Summary

CISA has added two actively exploited vulnerabilities—affecting ConnectWise ScreenConnect and Microsoft Windows—to its Known Exploited Vulnerabilities (KEV) catalog. These additions follow confirmed reports of exploitation by advanced persistent threat (APT) groups.

Key Points

  • CVE-2024-1708 (CVSS 8.4) is a path traversal vulnerability in ConnectWise ScreenConnect that enables remote code execution (RCE) and unauthorized access to confidential data.
  • CVE-2026-32202 (CVSS 4.3) is a protection mechanism failure in the Microsoft Windows Shell that allows for network-based spoofing.
  • CVE-2024-1708 is frequently chained with CVE-2024-1709 (CVSS 10.0), a critical authentication bypass vulnerability, to facilitate ransomware deployment.
  • CVE-2026-32202 originated from an incomplete patch for CVE-2026-21510.
  • Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these vulnerabilities by May 12, 2026.

Technical Details

The ConnectWise ScreenConnect vulnerability (CVE-2024-1708) utilizes path traversal to bypass directory restrictions, potentially allowing attackers to access sensitive files or execute arbitrary code on the host system. In documented attack patterns, threat actors—including the China-based group Storm-1175—have chained this flaw with the critical authentication bypass vulnerability CVE-2024-1709 to deploy Medusa ransomware.

The Microsoft Windows Shell vulnerability (CVE-2026-32202) involves a failure in the operating system's protection mechanisms, enabling unauthorized attackers to perform spoofing operations over a network. This flaw is a regression or incomplete fix resulting from the patching process for CVE-2026-21510. Evidence indicates that the Russian hacking group APT28 has utilized this vulnerability in conjunction with CVE-2026-21513 to target infrastructure in Ukraine and EU countries since December 2025.

Impact / Why It Matters

Developers and system administrators must prioritize patching Windows and ConnectWise instances to prevent remote code execution and network spoofing. These vulnerabilities are actively being weaponized in coordinated attacks by sophisticated threat actors.

security vulnerability cisa

↳ Sources