CISA Flags Actively Exploited ConnectWise and Microsoft Windows Vulnerabilities in KEV Catalog

Washington, D.C. | April 2026 — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security vulnerabilities affecting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence that both flaws are being actively used in real-world cyberattacks.

The move increases pressure on organizations, particularly U.S. federal agencies, to urgently apply available security patches.

Two Vulnerabilities Identified as Actively Exploited

The newly added vulnerabilities include:

• CVE-2024-1708 — A high-severity path traversal flaw in ConnectWise ScreenConnect that could allow attackers to execute remote code or access sensitive system data. The issue was patched in February 2024.
• CVE-2026-32202 — A lower-severity protection mechanism failure in Microsoft Windows Shell that could enable spoofing attacks over a network. Microsoft addressed the flaw in April 2026.

CISA’s inclusion of both issues in its KEV catalog signals confirmed exploitation, meaning threat actors are already leveraging the vulnerabilities in active campaigns.

Microsoft Confirms Active Exploitation

The listing of CVE-2026-32202 follows Microsoft’s recent update acknowledging that the vulnerability is being exploited in the wild. While the company has not detailed specific attack methods, security researchers have linked the issue to incomplete patching efforts involving earlier Windows security flaws.

Cybersecurity firm Akamai reported that the vulnerability may be connected to prior exploited weaknesses, including CVE-2026-21510, which was used as a zero-day in advanced cyber operations.

Advanced Threat Groups Linked to Attacks

Security analysts have attributed some of the exploitation activity to sophisticated state-aligned threat actors.

One group, tracked as APT28, has previously targeted European Union nations and Ukraine using chained Windows vulnerabilities. Their campaigns reportedly date back to late 2025 and involve highly coordinated intrusion techniques.

ScreenConnect Flaw Previously Used in Ransomware Campaigns

The ConnectWise vulnerability (CVE-2024-1708) has been repeatedly exploited in combination with another critical flaw, CVE-2024-1709, which allows authentication bypass.

Earlier investigations by Microsoft linked exploitation of these vulnerabilities to cybercriminal groups deploying ransomware strains such as Medusa. In some cases, attackers used the flaws together to gain full administrative access to compromised systems.

Federal Agencies Face Deadline to Patch Systems

CISA has mandated that U.S. Federal Civilian Executive Branch (FCEB) agencies remediate affected systems within strict timelines. Agencies are required to apply fixes for related vulnerabilities by May 12, 2026, as part of ongoing efforts to reduce exposure to known exploited threats.

The KEV catalog serves as a critical enforcement tool, requiring federal networks to prioritize vulnerabilities actively used by attackers.

Growing Concern Over Supply Chain and Windows Exploits

Cybersecurity experts warn that the inclusion of both enterprise remote access software and core Windows components highlights a broader trend: attackers are increasingly targeting widely deployed systems to maximize impact.

Security teams are being urged to prioritize patching, monitor for suspicious remote access activity, and review authentication and spoofing protections across enterprise environments.