CISA Adds ConnectWise and Windows Flaws to KEV Catalog

April 29, 2026 Faeem BLOGS 0

Overview On April 28, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This move underscores the urgency for organizations to patch critical flaws in ConnectWise ScreenConnect and Microsoft Windows Shell, both of which are being leveraged in real-world attacks.

Vulnerabilities Added

  1. CVE‑2024‑1708 (CVSS 8.4)
    • Type: Path traversal in ConnectWise ScreenConnect.
    • Impact: Remote code execution, direct access to confidential data and critical systems.
    • Status: Fixed in February 2024.
    • Exploitation: Often chained with CVE‑2024‑1709 (auth bypass, CVSS 10.0). Linked to China-based threat actor Storm‑1175, deploying Medusa ransomware.
  2. CVE‑2026‑32202 (CVSS 4.3)
    • Type: Protection mechanism failure in Microsoft Windows Shell.
    • Impact: Network spoofing attacks.
    • Status: Fixed in April 2026.
    • Exploitation: Stemmed from incomplete patch for CVE‑2026‑21510, previously exploited by APT28 in attacks against Ukraine and EU countries.

Why It Matters

  • Active Exploitation: Both flaws are being weaponized in the wild.
  • Chained Attacks: ConnectWise vulnerabilities are often combined for maximum impact.
  • Nation-State Activity: CVE‑2026‑32202 exploitation linked to Russian APT28 campaigns.
  • Ransomware Deployment: ConnectWise flaws tied to Medusa ransomware operations.

Required Actions

  • Federal Agencies: Must apply fixes by May 12, 2026, per CISA directive.
  • Organizations:
    • Patch ConnectWise ScreenConnect to latest versions.
    • Apply April 2026 Windows updates addressing CVE‑2026‑32202.
    • Audit systems for signs of exploitation, particularly unusual authentication bypass or spoofing activity.
    • Monitor for chained exploitation attempts combining CVE‑2024‑1708 and CVE‑2024‑1709.

Final Thought

The addition of these flaws to the KEV catalog highlights a recurring theme: attackers exploit the seams between incomplete patches and overlooked remote access tools. For defenders, the lesson is clear — patch management must be proactive, and monitoring must extend beyond single CVEs to the chained exploitation patterns adversaries rely on.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.