CISA Adds ConnectWise ScreenConnect and Microsoft Windows Vulnerabilities to KEV Catalog
CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog after determining there is evidence of active exploitation in the wild. The newly listed flaws are CVE-2024-1708, a ConnectWise ScreenConnect path traversal vulnerability, and CVE-2026-32202, a Microsoft Windows protection mechanism failure vulnerability.The addition is significant because CISA’s KEV Catalog is not a general vulnerability list. It is reserved for vulnerabilities that have confirmed exploitation and that meet CISA’s criteria for posing meaningful risk. For federal agencies, inclusion in the KEV Catalog creates a mandatory remediation requirement under Binding Operational Directive 22-01. For private-sector organizations, state and local governments, schools, MSPs, and critical infrastructure operators, the catalog remains one of the strongest practical signals that a vulnerability should be treated as urgent.
CVE-2024-1708 affects ConnectWise ScreenConnect, a remote access and support platform widely used by managed service providers and IT departments. The flaw is categorized as path traversal and affects ScreenConnect 23.9.7 and earlier. Path traversal vulnerabilities can allow attackers to access or manipulate files outside intended directories. In this case, public vulnerability records have described the potential impact as including remote code execution or direct impact to confidential data and critical systems. ConnectWise previously released ScreenConnect 23.9.8 as a security fix and urged on-premises customers to upgrade.
ScreenConnect is a particularly sensitive target because remote management tools often provide privileged access into many downstream environments. A compromised remote support server can become a launch point for credential theft, ransomware deployment, lateral movement, and unauthorized administrative access. Organizations still operating self-hosted ScreenConnect instances should verify the server version, confirm that vulnerable versions have been upgraded, and review logs for suspicious administrative activity, unexpected users, abnormal session history, webshell behavior, or unusual commands.
The second vulnerability, CVE-2026-32202, affects Microsoft Windows and is described as a protection mechanism failure. Public vulnerability information describes the issue as a Windows Shell spoofing-related flaw that can allow an unauthorized attacker to perform spoofing over a network. Microsoft security updates are available, and Windows administrators should ensure supported systems have received the applicable April 2026 security updates or later cumulative updates that address the issue.
This Microsoft issue is notable because Windows Shell vulnerabilities often involve user-facing file handling, shortcuts, network paths, or shell parsing behavior. In enterprise environments, even vulnerabilities rated below “critical” can become serious when they enable credential exposure, spoofing, authentication coercion, or attack-chain support. Administrators should prioritize patch validation on Windows endpoints and servers, especially systems that process files from untrusted sources, access network shares, or are used by privileged users.
CISA emphasized that these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by the assigned due date. CISA also strongly urges all organizations, not only federal agencies, to prioritize timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management programs.
For defenders, the immediate response should include four steps. First, identify whether ScreenConnect is present anywhere in the environment, including MSP-managed systems, legacy servers, and externally exposed remote access portals. Second, confirm whether Windows assets have received the relevant Microsoft security updates. Third, hunt for signs of exploitation rather than assuming patching alone is enough. Fourth, review exposure management processes to ensure KEV additions are treated as high-priority operational events, not just informational alerts.
Organizations using ScreenConnect should pay particular attention to self-hosted deployments, since vendor-hosted cloud instances may follow a different remediation path than on-premises servers. Security teams should verify version numbers directly, remove unknown accounts, enforce MFA, rotate credentials where compromise is suspected, and review remote access logs. If exploitation indicators are found, teams should preserve evidence and consider full incident response procedures before returning affected systems to production.
For Windows environments, administrators should use enterprise patch management tooling to confirm update deployment and investigate systems that failed to install the latest cumulative updates. Security teams should also monitor for suspicious outbound authentication attempts, unusual SMB or UNC path activity, and unexpected network connections triggered by file browsing or shell interaction.
CISA’s latest KEV update is another reminder that attackers continue to exploit both newly disclosed and older vulnerabilities when exposed systems remain unpatched. The practical takeaway is straightforward: if a vulnerability is in the KEV Catalog, it should move to the top of the remediation queue.
Source: CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
Source: CISA CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
