CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
Executive Summary
In April 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-1708, a path traversal flaw in ConnectWise ScreenConnect, and CVE-2026-32202, a protection mechanism failure in Microsoft Windows Shell. CVE-2024-1708 allows remote code execution or unauthorized access to sensitive data, while CVE-2026-32202 enables network-based spoofing attacks. Both vulnerabilities have been actively exploited by threat actors, including the China-based group Storm-1175 deploying Medusa ransomware and the Russian APT28 targeting Ukraine and EU countries. Federal agencies are mandated to remediate these vulnerabilities by May 12, 2026. (thehackernews.com)
The inclusion of these vulnerabilities in the KEV catalog underscores the persistent threat posed by state-sponsored actors exploiting known flaws. Organizations must prioritize patching and enhance monitoring to mitigate risks associated with these and similar vulnerabilities.
Why This Matters Now
The active exploitation of these vulnerabilities by sophisticated threat actors highlights the urgent need for organizations to apply patches and strengthen their cybersecurity defenses to prevent potential breaches and data compromises.
Attack Path Analysis
An attacker exploited the CVE-2024-1708 path traversal vulnerability in ConnectWise ScreenConnect to upload a malicious extension, leading to remote code execution. This allowed the attacker to escalate privileges, move laterally within the network, establish command and control channels, exfiltrate sensitive data, and potentially disrupt critical systems.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the CVE-2024-1708 path traversal vulnerability in ConnectWise ScreenConnect to upload a malicious extension, leading to remote code execution.
Related CVEs
CVE-2024-1708
CVSS 8.4A path traversal vulnerability in ConnectWise ScreenConnect 23.9.7 and prior versions allows an attacker to execute remote code or access confidential data.
Affected Products:
ConnectWise ScreenConnect – <= 23.9.7
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Direct Volume Access
Command and Scripting Interpreter
Valid Accounts
System Information Discovery
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
ConnectWise ScreenConnect path traversal vulnerability directly impacts IT service providers using remote access tools for client support and system administration.
Computer Software/Engineering
Software companies relying on ScreenConnect for remote development and support face immediate exploitation risks from CVE-2024-1708 path traversal attacks.
Management Consulting
Consulting firms using remote access solutions for client environments vulnerable to lateral movement and data exfiltration through compromised ScreenConnect instances.
Financial Services
Financial institutions face regulatory compliance violations and data breach risks from actively exploited ScreenConnect vulnerabilities enabling unauthorized system access.
Sources
- CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEVhttps://thehackernews.com/2026/04/cisa-adds-actively-exploited.htmlVerified
- CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate Directory Traversal Vulnerabilitieshttps://www.cisa.gov/news-events/alerts/2024/05/02/cisa-and-fbi-release-secure-design-alert-urge-manufacturers-eliminate-directory-traversalVerified
- A Catastrophe for Control: Understanding the ScreenConnect Authentication Bypasshttps://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypassVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust Cloud Native Security Fabric (CNSF) is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, establish command and control channels, exfiltrate data, and disrupt systems by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial exploitation may still occur, CNSF would likely limit the attacker's ability to escalate privileges or move laterally within the network.
Control: Zero Trust Segmentation
Mitigation: CNSF would likely constrain the attacker's ability to escalate privileges by enforcing strict identity-based access controls and limiting access to sensitive resources.
Control: East-West Traffic Security
Mitigation: CNSF would likely limit the attacker's lateral movement by enforcing east-west traffic controls, thereby reducing the scope of accessible systems.
Control: Multicloud Visibility & Control
Mitigation: CNSF would likely detect and limit unauthorized command and control channels by providing comprehensive visibility and control over multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: CNSF would likely constrain data exfiltration attempts by enforcing strict egress policies and monitoring outbound traffic.
CNSF would likely reduce the blast radius of such attacks, limiting the potential disruption to critical systems and minimizing operational impact.
Impact at a Glance
Affected Business Functions
- Remote IT Support
- System Administration
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of confidential client data and internal system configurations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the attacker's ability to access other systems.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities like CVE-2024-1708.
- • Utilize Cloud Firewall (ACF) to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to mitigate known vulnerabilities and reduce the attack surface.
