The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added two security flaws impacting ConnectWise ScreenConnect and Microsoft Home windows to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of energetic exploitation.
The vulnerabilities are listed under –
- CVE-2024-1708 (CVSS rating: 8.4) – A path traversal vulnerability in ConnectWise ScreenConnect that might enable an attacker to execute distant code or immediately impression confidential information and significant methods. (Mounted in February 2024)
- CVE-2026-32202 (CVSS rating: 4.3) – A safety mechanism failure vulnerability in Microsoft Home windows Shell that might enable an unauthorized attacker to carry out spoofing over a community. (Mounted in April 2026)
The addition of CVE-2026-32202 to the KEV catalog comes a day after Microsoft up to date its advisory for the flaw to acknowledge it had come below energetic exploitation.
Though Microsoft has not disclosed the character of the assaults weaponizing the flaw, Akamai stated the vulnerability stemmed from an incomplete patch for CVE-2026-21510, which was exploited as a zero-day alongside CVE-2026-21513 by the Russian hacking group APT28 in assaults concentrating on Ukraine and E.U. international locations since December 2025.
Attacks exploiting CVE-2024-1708, then again, have been chained with CVE-2024-1709 (CVSS rating: 10.0), a essential authentication bypass vulnerability, by a number of menace actors through the years. Earlier this month, Microsoft linked the exploitation of the failings to a China-based menace actor it tracks as Storm-1175 in assaults deploying Medusa ransomware.
It is price noting that CISA added CVE-2024-1709 to the KEV catalog on February 22, 2024. Federal Civilian Government Department (FCEB) companies are required to use the mandatory fixes by Might 12, 2026, to safe their networks.
