THREATNOIR
Subscribe
Back to Feed
VulnerabilitiesApr 29, 2026

CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV

CISA adds ConnectWise ScreenConnect and Windows Shell flaws to KEV catalog due to active exploitation.

Read at source

Summary

CISA added CVE-2024-1708 (ConnectWise ScreenConnect path traversal, CVSS 8.4) and CVE-2026-32202 (Windows Shell spoofing, CVSS 4.3) to its Known Exploited Vulnerabilities catalog following evidence of active exploitation. CVE-2024-1708 has been chained with the critical CVE-2024-1709 by multiple threat actors including Storm-1175 deploying Medusa ransomware, while CVE-2026-32202 represents an incomplete patch for CVE-2026-21510, previously exploited as a zero-day by APT28 against Ukraine and EU countries since December 2025. Federal agencies must patch by May 12, 2026.

Full text

CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV Ravie LakshmananApr 29, 2026Vulnerability / Network Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities are listed below - CVE-2024-1708 (CVSS score: 8.4) - A path traversal vulnerability in ConnectWise ScreenConnect that could allow an attacker to execute remote code or directly impact confidential data and critical systems. (Fixed in February 2024) CVE-2026-32202 (CVSS score: 4.3) - A protection mechanism failure vulnerability in Microsoft Windows Shell that could allow an unauthorized attacker to perform spoofing over a network. (Fixed in April 2026) The addition of CVE-2026-32202 to the KEV catalog comes a day after Microsoft updated its advisory for the flaw to acknowledge it had come under active exploitation. Although Microsoft has not disclosed the nature of the attacks weaponizing the flaw, Akamai said the vulnerability stemmed from an incomplete patch for CVE-2026-21510, which was exploited as a zero-day alongside CVE-2026-21513 by the Russian hacking group APT28 in attacks targeting Ukraine and E.U. countries since December 2025. Attacks exploiting CVE-2024-1708, on the other hand, have been chained with CVE-2024-1709 (CVSS score: 10.0), a critical authentication bypass vulnerability, by multiple threat actors over the years. Earlier this month, Microsoft linked the exploitation of the flaws to a China-based threat actor it tracks as Storm-1175 in attacks deploying Medusa ransomware. It's worth noting that CISA added CVE-2024-1709 to the KEV catalog on February 22, 2024. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by May 12, 2026, to secure their networks. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  ConnectWise, cybersecurity, data protection, Microsoft, network security, ransomware, Vulnerability, zero-day Trending News Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately Popular Resources Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat How to Identify Risky Browser Extensions in Your Organization

Indicators of Compromise

  • cve — CVE-2024-1708
  • cve — CVE-2024-1709
  • cve — CVE-2026-32202
  • cve — CVE-2026-21510
  • cve — CVE-2026-21513
  • malware — Medusa

Entities

ConnectWise (vendor)Microsoft (vendor)ScreenConnect (product)Windows Shell (product)APT28 (threat_actor)Storm-1175 (threat_actor)