ACCORDING to CISA, Windows Shell and ConnectWise ScreenConnect flaws have been added to the Known Exploited Vulnerabilities (KEV) catalog. The entries include CVE-2024-1708, a ConnectWise ScreenConnect Path Traversal Vulnerability (CVSS 8.4) affecting versions 23.9.7 and earlier, and CVE-2026-32202, a Microsoft Windows Protection Mechanism Failure Vulnerability (CVSS 4.3).
The path traversal issue could allow an attacker to manipulate file paths to access sensitive areas, potentially leading to remote code execution or unauthorized data access. The Windows flaw is identified as a Windows Shell Spoofing vulnerability tracked as CVE-2026-32202, which could enable content spoofing over a network due to failure in built-in protection mechanisms.
CISA notes that federal agencies must address these vulnerabilities by the due date under Binding Operational Directive (BOD) 22-01, with private organisations urged to review the KEV Catalog and patch accordingly, and orders to fix the vulnerabilities by May 12, 2026.