CISA orders agencies to patch exploited ConnectWise ScreenConnect and Windows flaws
5 min. read 
Published on
CISA has added two actively exploited vulnerabilities in ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities catalog. The move gives U.S. federal civilian agencies until May 12, 2026, to apply fixes or mitigations.
The two flaws are CVE-2024-1708, a ConnectWise ScreenConnect path traversal vulnerability, and CVE-2026-32202, a Microsoft Windows Shell protection mechanism failure. Both now carry confirmed exploitation status under CISA’s KEV program.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The warning matters because the two products sit in sensitive parts of enterprise networks. ScreenConnect gives administrators remote access to systems, while Windows Shell handles everyday file and interface behavior on Windows endpoints and servers.
What CISA added to the KEV catalog
CISA added both vulnerabilities on April 28, 2026. The agency uses the KEV catalog to track flaws that attackers are already exploiting, which often makes them more urgent than vulnerabilities with higher scores but no confirmed real-world use.
CVE-2024-1708 affects ConnectWise ScreenConnect 23.9.7 and earlier. The flaw can let an attacker move outside the intended file path and may lead to remote code execution or access to sensitive systems.
CVE-2026-32202 affects Microsoft Windows Shell. Microsoft describes it as a protection mechanism failure that can let an unauthorized attacker perform spoofing over a network.
At a glance
| CVE | Product | Issue | Severity | Fix status | CISA deadline |
|---|---|---|---|---|---|
| CVE-2024-1708 | ConnectWise ScreenConnect | Path traversal | High, CVSS 8.4 | Fixed in February 2024 | May 12, 2026 |
| CVE-2026-32202 | Microsoft Windows Shell | Protection mechanism failure | Medium, CVSS 4.3 | Fixed in April 2026 | May 12, 2026 |
Why the Windows Shell flaw is getting new attention
Microsoft patched CVE-2026-32202 in April 2026, but later updated its advisory to mark the vulnerability as actively exploited. That change helped trigger CISA’s KEV listing.
Akamai researchers linked the issue to an incomplete fix for CVE-2026-21510, a Windows Shell flaw patched earlier in 2026. That earlier vulnerability was used in attacks involving malicious shortcut files.
The remaining issue can expose sensitive authentication data when Windows processes malicious content in certain conditions. Security researchers have warned that attackers may use this path to capture NTLM authentication material and support lateral movement.
ConnectWise ScreenConnect remains a target
CVE-2024-1708 is not new, but attackers are still using it. ConnectWise fixed the flaw in February 2024, and the company urged on-premises customers to update to ScreenConnect 23.9.8 or later.
The flaw has often appeared alongside CVE-2024-1709, a critical authentication bypass vulnerability in the same product. CISA added CVE-2024-1709 to the KEV catalog in February 2024.
That pairing makes the ScreenConnect issue especially serious. If attackers bypass authentication and then abuse path traversal, they can gain a stronger foothold on remote access infrastructure.
Recent ransomware activity raises the risk
Microsoft recently linked exploitation of ConnectWise ScreenConnect flaws to Storm-1175, a China-based financially motivated threat actor that deploys Medusa ransomware.
Microsoft said Storm-1175 focuses on vulnerable internet-facing systems and can move from initial access to data theft and ransomware deployment within days. In some incidents, the move to impact happened within 24 hours.
This pattern shows why old remote access vulnerabilities remain dangerous. Even when a patch has been available for years, attackers continue to scan for exposed and unpatched systems.
What organizations should do now
- Patch Windows systems with the April 2026 security updates if CVE-2026-32202 has not already been addressed.
- Upgrade self-hosted ScreenConnect servers to a patched version, with 23.9.8 or later as the minimum fixed branch noted by ConnectWise.
- Check ScreenConnect logs, user accounts, extensions, and server files for signs of compromise.
- Restrict access to remote monitoring and management tools from the public internet where possible.
- Monitor for abnormal outbound SMB traffic and unusual NTLM authentication attempts.
- Review privileged service accounts and administrator accounts used by remote access platforms.
- Rotate credentials if ScreenConnect exposure or suspicious activity is detected.
Why KEV listings matter
CISA’s KEV catalog does not only affect federal agencies. Private companies also use it as a patching priority list because it reflects vulnerabilities with confirmed attacker interest.
The latest update also shows why organizations should not patch only by CVSS score. CVE-2026-32202 has a medium severity score, but active exploitation makes it a higher operational priority than many unexploited critical bugs.
For defenders, the message is direct. Fix exposed ScreenConnect servers, apply Microsoft’s Windows updates, and hunt for signs that attackers may have already used these flaws before the deadline.
FAQ
CISA added CVE-2024-1708 in ConnectWise ScreenConnect and CVE-2026-32202 in Microsoft Windows Shell after evidence of active exploitation.
Federal Civilian Executive Branch agencies must fix or mitigate both vulnerabilities by May 12, 2026.
CVE-2024-1708 is a ScreenConnect path traversal flaw that can lead to remote code execution or access to confidential systems, especially when chained with authentication bypass flaws.
The Windows flaw is important because attackers are already exploiting it. Active exploitation raises the urgency even when the CVSS score is not critical.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages