Skip to content
.ca
sign in
4 minhigh

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA has added CVE-2024-1708 (ConnectWise ScreenConnect Path Traversal Vulnerability) and CVE-2026-32202 (Microsoft Windows Protection Mechanism Failure Vulnerability) to the Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize patching these systems to mitigate significant risks to their enterprise environments.

Sens:ImmediateConf:highAnalyzed:2026-04-28reports

Authors: CISA

CISA KEVCVE-2024-1708CVE-2026-32202ConnectWise

Source:CISA

Detection / Hunter

What Happened

CISA has warned that two software vulnerabilities are currently being used by attackers in the real world. The affected software includes ConnectWise ScreenConnect and Microsoft Windows. This matters because attackers can use these flaws to bypass security protections and compromise systems or networks. Organizations should immediately apply the latest security updates for these products to protect themselves.

Key Takeaways

  • CISA has added CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-32202 (Microsoft Windows) to the Known Exploited Vulnerabilities (KEV) Catalog.
  • Both vulnerabilities are actively being exploited in the wild by malicious cyber actors.
  • Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities under Binding Operational Directive (BOD) 22-01.
  • All organizations are strongly urged to prioritize the timely remediation of these vulnerabilities to reduce cyberattack exposure.

Affected Systems

  • ConnectWise ScreenConnect
  • Microsoft Windows

Vulnerabilities (CVEs)

  • CVE-2024-1708
  • CVE-2026-32202

Attack Chain

The provided alert does not detail a specific attack chain. However, it notes that threat actors are actively exploiting a path traversal vulnerability in ConnectWise ScreenConnect (CVE-2024-1708) and a protection mechanism failure in Microsoft Windows (CVE-2026-32202) to compromise targeted systems.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the CISA alert.

Detection Engineering Assessment

EDR Visibility: Medium — EDR solutions may detect post-exploitation activity or anomalous child processes spawning from ScreenConnect, as well as attempts to bypass Windows protection mechanisms, though specific behavioral IOCs are not provided in the text. Network Visibility: Medium — Network sensors and WAFs may detect path traversal exploitation attempts against public-facing ScreenConnect instances if appropriate signatures are deployed. Detection Difficulty: Moderate — Without specific indicators of compromise or detailed exploitation methodologies provided in the alert, detection relies heavily on vendor-supplied patches, vulnerability scanners, and general anomaly detection.

Required Log Sources

  • Windows Event Logs
  • Web Application Firewall (WAF) logs
  • ConnectWise ScreenConnect application logs
  • EDR telemetry (Process/File creation)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for anomalous child processes or unexpected file writes originating from the ConnectWise ScreenConnect service, which may indicate successful exploitation of the path traversal vulnerability.Process creation logs, File creation logsExecution / PersistenceLow
Monitor for unexpected changes or failures in Windows protection mechanisms (e.g., tampering with security services or registry keys) that could indicate exploitation of CVE-2026-32202.Windows System Event Logs, Registry modification logsDefense EvasionMedium

Control Gaps

  • Unpatched public-facing applications
  • Unpatched Windows endpoints

Key Behavioral Indicators

  • Anomalous file paths accessed by the ScreenConnect process
  • Unexpected state changes in Windows security features

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Apply the latest vendor-supplied patches for ConnectWise ScreenConnect to remediate CVE-2024-1708.
  • Apply the latest Microsoft Windows security updates addressing CVE-2026-32202.

Infrastructure Hardening

  • Restrict access to public-facing management interfaces like ScreenConnect using IP allowlisting, VPNs, and Multi-Factor Authentication (MFA).
  • Ensure vulnerability management programs prioritize items listed in the CISA KEV catalog.

User Protection

  • Ensure endpoint operating systems are regularly updated and monitored by an active EDR solution.

Security Awareness

  • Educate IT and security teams on the requirements of BOD 22-01 and the importance of tracking the CISA KEV catalog for prioritized patching.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1068 - Exploitation for Privilege Escalation
  • T1562 - Impair Defenses

Related