Executive Summary
On April 28, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2024-1708, a path traversal vulnerability in ConnectWise ScreenConnect versions 23.9.7 and prior, and CVE-2026-32202, a Windows Shell protection mechanism failure. CVE-2024-1708 allows attackers to execute remote code or access sensitive data by exploiting improper path handling, while CVE-2026-32202 enables attackers to steal NTLMv2 hashes without user interaction, leading to potential unauthorized access. (sentinelone.com)
The inclusion of these vulnerabilities in the KEV Catalog underscores the ongoing threat posed by actively exploited security flaws. Organizations are urged to prioritize patching these vulnerabilities to mitigate risks associated with remote code execution and unauthorized data access, which can lead to significant operational disruptions and data breaches.
Why This Matters Now
The addition of CVE-2024-1708 and CVE-2026-32202 to CISA's KEV Catalog highlights the immediate need for organizations to address these actively exploited vulnerabilities. Failure to remediate these issues promptly could result in severe security incidents, including data breaches and system compromises.
Attack Path Analysis
Attackers exploited vulnerabilities in ConnectWise ScreenConnect and Microsoft Windows to gain initial access, escalated privileges, moved laterally within the network, established command and control channels, exfiltrated sensitive data, and caused significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited CVE-2024-1708 in ConnectWise ScreenConnect and CVE-2026-32202 in Microsoft Windows to gain unauthorized access to the network.
Related CVEs
CVE-2024-1708
CVSS 8.4A path traversal vulnerability in ConnectWise ScreenConnect 23.9.7 and prior allows authenticated remote attackers to execute arbitrary code or access sensitive data.
Affected Products:
ConnectWise ScreenConnect – <= 23.9.7
Exploit Status:
exploited in the wildCVE-2026-32202
CVSS 4.3A protection mechanism failure in Windows Shell allows unauthorized attackers to perform spoofing over a network.
Affected Products:
Microsoft Windows Server 2012 – R2, -
Microsoft Windows 10 – 1607 up to 10.0.14393.9060, 1809 up to 10.0.17763.8644, 21H2 up to 10.0.19044.7184
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Valid Accounts
Use Alternate Authentication Material
Remote Services
Application Layer Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face mandatory remediation under BOD 22-01 for ConnectWise ScreenConnect and Microsoft Windows vulnerabilities actively exploited by threat actors.
Information Technology/IT
IT services using ConnectWise ScreenConnect remote access tools vulnerable to path traversal attacks enabling lateral movement and data exfiltration.
Computer Software/Engineering
Software companies with Windows infrastructure exposed to protection mechanism failures requiring immediate patching and zero trust segmentation controls.
Financial Services
Banking systems face compliance violations under PCI standards from unpatched vulnerabilities enabling privilege escalation and encrypted traffic bypasses.
Sources
- CISA Adds Two Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalogVerified
- NVD - CVE-2024-1708https://nvd.nist.gov/vuln/detail/CVE-2024-1708Verified
- NVD - CVE-2026-32202https://nvd.nist.gov/vuln/detail/CVE-2026-32202Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust Cloud Native Security Fabric (CNSF) is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control channels, exfiltrate data, and cause operational disruption.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit these vulnerabilities would likely be constrained, reducing the scope of initial access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing the scope of elevated access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally would likely be constrained, reducing the scope of network traversal.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing the scope of persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data would likely be constrained, reducing the scope of data loss.
The attacker's ability to cause operational disruption and data loss would likely be constrained, reducing the scope of impact.
Impact at a Glance
Affected Business Functions
- Remote Access Services
- Network Security
- System Administration
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive system configurations and user credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Deploy Zero Trust Segmentation to limit lateral movement within the network.
- • Utilize East-West Traffic Security to monitor and control internal traffic flows.
- • Establish Multicloud Visibility & Control to detect and respond to command and control activities.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
