CISA Adds Microsoft Windows Shell and ConnectWise ScreenConnect Vulnerabilities to Known Exploited Vulnerabilities Catalog
- Apr 29
- 2 min read
Key Findings
CISA added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog
CVE-2024-1708 is a critical path traversal flaw in ConnectWise ScreenConnect (CVSS 8.4) allowing remote code execution
CVE-2026-32202 is a Windows Shell spoofing vulnerability (CVSS 4.3) currently under active exploitation by multiple threat actors
Federal agencies must patch both vulnerabilities by May 12, 2026
The ConnectWise flaw has been chained with a critical authentication bypass (CVE-2024-1709) in ransomware attacks
The Windows vulnerability appears to be a botched patch for earlier zero-day exploits used by Russian APT28
Background
CISA maintains a catalog of known exploited vulnerabilities to help organizations prioritize their patching efforts. When vulnerabilities are added to this list, it signals active threat activity and triggers mandatory remediation timelines for federal civilian agencies under Binding Operational Directive 22-01. The addition of these two flaws reflects an escalating threat landscape where both supply chain tools and operating system components are being weaponized by state-sponsored and financially motivated actors.
ConnectWise ScreenConnect Path Traversal Vulnerability
CVE-2024-1708 affects ConnectWise ScreenConnect versions 23.9.7 and earlier. The path traversal vulnerability stems from improper file path restrictions, allowing attackers to access files and directories beyond their intended scope. Exploitation can lead to remote code execution or unauthorized access to sensitive data and critical systems. The vulnerability was patched in February 2024, yet threat actors have continued using it in the wild by chaining it with CVE-2024-1709, a critical authentication bypass. In recent months, China-based threat actor Storm-1175 has weaponized both flaws together while deploying Medusa ransomware against victims.
Windows Shell Spoofing Vulnerability
CVE-2026-32202 is a protection mechanism failure in Microsoft Windows Shell that enables network-based spoofing attacks. Microsoft acknowledged active exploitation in April 2026 and released a patch, though the company has not detailed the specific attack methods. Security researchers at Akamai identified this as an incomplete patch for CVE-2026-21510, which was previously exploited as a zero-day by Russian hacking group APT28. The original zero-day was deployed alongside CVE-2026-21513 in coordinated attacks targeting Ukraine and European Union countries since December 2025.
Remediation Requirements
Federal civilian agencies must apply patches for both vulnerabilities by May 12, 2026. Private organizations are encouraged to review the KEV catalog and address these flaws in their own infrastructure. Given the active exploitation by state-sponsored actors and criminal groups, prioritizing these remediations is critical to prevent network compromise and data theft.
Sources
https://thehackernews.com/2026/04/cisa-adds-actively-exploited.html
https://securityaffairs.com/191442/security/u-s-cisa-adds-microsoft-windows-shell-and-connectwise-screenconnect-flaws-to-its-known-exploited-vulnerabilities-catalog.html

Comments