Emerging Threats

CISA Flags Actively Exploited ConnectWise, Windows Flaws

Analyst 207||Source: TheHackerNews
Modern IT infrastructure room with servers, networking equipment, and exposed cables, with a window showing daylight in the…

CVE-2026-32202 — a Microsoft Windows Shell protection-failure bug scored 4.3 — was added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog one day after Microsoft acknowledged the flaw had come under active exploitation.

CISA adds two actively exploited flaws to the KEV catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. The entries are:

  • CVE-2024-1708 (CVSS 8.4): a path traversal vulnerability in ConnectWise ScreenConnect that could allow an attacker to execute remote code or directly impact confidential data and critical systems. The vendor fixed the issue in February 2024.
  • CVE-2026-32202 (CVSS 4.3): a protection mechanism failure in Microsoft Windows Shell that could allow an unauthorized attacker to perform spoofing over a network. Microsoft released a fix in April 2026.

How the flaws work and how they have been chained

The ConnectWise ScreenConnect flaw, CVE-2024-1708, is described in the KEV entry as a path traversal issue that can enable remote code execution and affect confidential data and critical systems when successfully exploited. Historically, CVE-2024-1708 has been chained with CVE-2024-1709 — a separate, critical authentication bypass vulnerability rated CVSS 10.0 — by multiple threat actors over the years.

Microsoft’s Windows Shell issue, CVE-2026-32202, is categorized as a protection mechanism failure that could allow network spoofing by an unauthorized attacker. Microsoft fixed the flaw in April 2026 and updated its advisory to acknowledge that the vulnerability had been subject to active exploitation.

Threat actor links cited by Microsoft and Akamai

Microsoft linked exploitation of the ConnectWise-related flaws to a China-based actor it tracks as Storm-1175, saying the actor used the bugs in attacks that deployed Medusa ransomware. Separately, Akamai reported that the Windows Shell vulnerability stemmed from an incomplete patch for CVE-2026-21510; Akamai said that incomplete fix had been leveraged as part of a zero‑day chain alongside CVE-2026-21513 by the Russian hacking group APT28 in attacks targeting Ukraine and E.U. countries since December 2025.

Microsoft, for its part, has not disclosed the precise nature of the attacks weaponizing CVE-2026-32202 beyond acknowledging active exploitation.

What this means for Federal Civilian Executive Branch agencies, ConnectWise customers, and Windows administrators

  • Federal Civilian Executive Branch (FCEB) agencies: CISA previously added CVE-2024-1709 to the KEV catalog on February 22, 2024, and FCEB agencies are required to apply the necessary fixes by May 12, 2026, to secure their networks. Because CVE-2024-1708 has been chained with CVE-2024-1709, FCEB networks that host ScreenConnect instances should confirm remediation status for both flaws.
  • ConnectWise customers and IT teams: CVE-2024-1708 was fixed in February 2024; organizations still running vulnerable ScreenConnect instances face remote code execution and data-exposure risk where attackers can chain with authentication bypass vulnerabilities.
  • Windows administrators and enterprise defenders: Microsoft fixed CVE-2026-32202 in April 2026. Given Microsoft’s advisory acknowledging active exploitation and Akamai’s attribution of an incomplete patch pathway for related Windows bugs, administrators should ensure the April 2026 update is applied where relevant.

Practical takeaways and the open question on attack details

CISA’s addition of these two CVEs to the KEV catalog formalizes that both flaws have been exploited in the wild. Fixed patches are publicly available — ConnectWise in February 2024 and Microsoft in April 2026 — and at least one critical related vulnerability (CVE-2024-1709) already carried a federal mitigation deadline of May 12, 2026. The record in the reporting also leaves a concrete gap: Microsoft has acknowledged active exploitation of CVE-2026-32202 but has not disclosed the technical details of the attacks. Akamai’s account that the Windows issue arose from an incomplete patch for CVE-2026-21510 and was exploited in tandem with CVE-2026-21513 by APT28 in campaigns since December 2025 provides one public line of forensic explanation, but the full operational picture of how threat actors are weaponizing these flaws remains partially described in the public advisories.

The additions to KEV underline a simple, immediate fact: exploit activity drove the listing, and patches exist. Which organizations act quickly will determine who is exposed — and which intrusion chains remain available for adversaries to reuse.

Source: The Hacker News — CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV

CisaConnectwiseEmerging ThreatsVulnerability ManagementWindowsKnown Exploited VulnerabilitiesCVE-2026-32202CVE-2024-1708ScreenconnectActively Exploited Flaws
Related Intelligence

Continue Reading

Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207
Rows of network equipment and devices on racks in a dimly lit, empty server room.

Credential Attacks Target Fortinet, Sophos, MSSQL Devices in Large-Scale Campaign

A large-scale password spraying and credential theft campaign, dubbed "FortiBleed," is targeting Fortinet devices, with attempts also seen against MSSQL services and Sophos devices, warns Unit 42. This coordinated attack has sparked concerns over widespread credential attacks.

Analyst 207