All incidents

CISA adds Windows Shell and ConnectWise ScreenConnect flaws to Known Exploited Vulnerabilities catalog

vulnerabilityclosedApr 28, 2026 — Apr 29, 2026
CISA adds Windows Shell and ConnectWise ScreenConnect flaws to Known Exploited Vulnerabilities catalog

ON 28 April 2026 the Cybersecurity and Infrastructure Security Agency added two vulnerabilities to its Known Exploited Vulnerabilities catalogue, a Windows Shell spoofing flaw and a ConnectWise ScreenConnect path traversal bug, as detailed in its alert published that day. The additions mean federal civilian agencies must prioritise patching or mitigating these issues under binding operational directives.

The ScreenConnect flaw, tracked as CVE-2024-1708, carries a CVSS v3.1 base score of 8.4 and affects versions 23.9.7 and earlier, allowing an unauthenticated attacker to send crafted web requests that traverse directory boundaries and potentially achieve remote code execution or arbitrary file access according to CISA’s KEV entry. ConnectWise has released a security bulletin with a patch for the vulnerability.

The Windows Shell issue, recorded as CVE-2026-32202, is rated CVSS 4.3 and stems from a failure in the Shell’s protection mechanism that enables network‑based spoofing of trusted entities as noted in the KEV catalogue. Microsoft’s advisory links the spoof to an incomplete patch for CVE-2026-21510, which has been chained with CVE-2026-21513 in recent attacks.

Threat intelligence links the exploitation chain to APT28, also known as Fancy Bear, which used the vulnerability pair in a campaign targeting Ukrainian and European organisations in December 2025 according to The Hacker News. The zero‑click nature of the Windows Shell flaw lets an attacker compromise a system simply by having a victim open a malicious file.

Defenders should apply the Microsoft patch for CVE-2026-32202 released as part of the April 2026 Patch Tuesday update and install the ConnectWise ScreenConnect update addressing CVE-2024-1708 without delay. Where immediate patching is not possible, organisations should restrict network access to the ScreenConnect web interface and enforce strict file‑origin policies for Windows Shell interactions.

Monitoring for anomalous path traversal requests in ScreenConnect logs and for unexpected Shell‑level spoofing indicators, such as mismatched signing certificates or unusual network authentication attempts, can help detect ongoing exploitation. Implementing network segmentation and least‑privilege access for management interfaces further reduces the chance of successful attack.

Intelligence briefing updated Jun 12, 2026

CVE-2026-21510 8.8 KEV CVE-2026-21513 8.8 KEV CVE-2024-1708 8.4 KEV CVE-2026-32202 4.3 KEV APT28
Root sourcewww.cisa.gov
Timeline Coverage

Swipe to explore timeline