CISA Adds ConnectWise ScreenConnect and Windows Shell Flaws to Known Exploited Vulnerabilities Catalog

CISA confirmed active exploitation of two vulnerabilities — a ConnectWise ScreenConnect path traversal flaw linked to Medusa ransomware and a Microsoft Windows Shell spoofing bug attributed to Russian APT28 — adding both to its Known Exploited Vulnerabilities catalog with a federal patching deadline of May 12, 2026.

WASHINGTON, D.C. — The Cybersecurity and Infrastructure Security Agency added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on April 28, 2026. The flaws affect ConnectWise ScreenConnect, a widely deployed remote desktop and IT management platform, and the Microsoft Windows Shell. Federal Civilian Executive Branch agencies are required under Binding Operational Directive 22-01 to remediate both vulnerabilities by May 12, 2026. CISA strongly urges all organizations to treat these additions as high-priority remediation events regardless of whether the federal deadline applies to them.

What Happened

CISA added both vulnerabilities to the KEV catalog on April 28 following confirmation of in-the-wild exploitation. Inclusion is reserved for vulnerabilities with confirmed active exploitation that pose meaningful risk — and creates mandatory remediation requirements for federal agencies while functioning as the strongest practical signal available to private sector organizations that a vulnerability requires urgent attention.

CVE-2024-1708 — ConnectWise ScreenConnect

CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect affecting versions 23.9.7 and earlier. The flaw allows attackers to manipulate file paths to reach sensitive areas of the system, potentially enabling remote code execution or unauthorized access to confidential data. ConnectWise patched it in version 23.9.8 in February 2024 — but active exploitation continues more than two years later.

Attacks have repeatedly chained this flaw with CVE-2024-1709, a separate critical authentication bypass carrying a perfect CVSS score of 10.0 that CISA added to the KEV catalog in February 2024. Earlier this month, Microsoft linked active exploitation of this chain to Storm-1175, a China-based threat actor deploying Medusa ransomware.

CVE-2026-32202 — Microsoft Windows Shell

CVE-2026-32202 is a Windows Shell protection mechanism failure that allows an unauthenticated attacker to perform spoofing over a network. Microsoft confirmed exploitation of the flaw one day before CISA's KEV addition. Akamai researchers determined the vulnerability stems from an incomplete fix for a prior Windows Shell flaw, and attributed earlier exploitation to APT28 — the GRU-linked Russian threat group — in attacks targeting Ukraine and EU countries beginning in December 2025. The April 2026 Windows security update cycle contains the fix.

Scope and Impact

ScreenConnect is a high-value target precisely because of its privileged access design — the tool is built to bypass standard network perimeters for legitimate remote administration. A compromised ScreenConnect instance provides an attacker with direct lateral movement capability across an enterprise network. Self-hosted on-premises deployments carry the greatest risk; organizations relying on ConnectWise-hosted cloud instances should confirm their remediation path directly with the vendor.

The Windows Shell vulnerability carries elevated risk in enterprise environments where endpoints handle files from untrusted sources, access network shares, or are operated by privileged users. The confirmed APT28 exploitation context makes this particularly urgent for NATO-adjacent organizations, government contractors, and any entity with geopolitical exposure to Russian state-sponsored threat activity.

Response and Attribution

Both fixes are currently available. ConnectWise patched CVE-2024-1708 in ScreenConnect version 23.9.8. Microsoft addressed CVE-2026-32202 in the April 2026 Patch Tuesday cycle. CISA advises organizations to apply patches per vendor instructions and discontinue use if patching is not immediately feasible.

For ScreenConnect specifically, patching alone is not sufficient. Organizations should conduct active threat hunting for signs of prior exploitation — reviewing authentication logs, file access patterns, and lateral movement indicators — before concluding the environment is clean.

The CyberSignal Analysis

Signal 01 — ScreenConnect Is a Persistent, High-Value Target

This is not the first time ConnectWise ScreenConnect has appeared in the CISA KEV catalog. The companion flaw CVE-2024-1709 was added in February 2024. The continued active exploitation two years later — now chained with ransomware by a named China-linked threat actor — reflects a pattern where remote access tools accumulate compounding risk over time as patching lags across distributed enterprise environments and MSP-managed infrastructure. Every organization should audit every ScreenConnect deployment, including those managed by third parties on their behalf.

Signal 02 — APT28 and Windows Is an Escalation Pattern Worth Watching

The attribution of CVE-2026-32202 exploitation to APT28 in campaigns targeting Ukraine and EU countries since December 2025 places this in a specific geopolitical context. For NATO-adjacent organizations and defense contractors, this is a targeted threat — not routine patch management. The incomplete-patch origin of the vulnerability also signals that the underlying Windows Shell attack surface has not been fully addressed, and additional related CVEs may emerge.

Signal 03 — The May 12 Deadline Is a Floor, Not a Target

BOD 22-01 deadlines apply to federal agencies, but the underlying logic — known exploited vulnerabilities should be remediated as fast as operationally possible — applies universally. Any organization running unpatched ScreenConnect or unpatched Windows endpoints when active ransomware campaigns and APT exploitation are confirmed should treat remediation as an ongoing incident response action, not a change management ticket.

Sources