CISA lists Windows, ConnectWise flaws

CISA just moved two old-but-still-dangerous bugs into the “drop what you’re doing” pile. One is in Microsoft Windows Shell. The other is in ConnectWise ScreenC(cisa.gov)te networks. The important part is not just that the bugs exist — it’s that CISA says both have been exploited in the wild and added them to the Known Exploited Vulnerabilities catalog on April 28. (cisa.gov) ### What did CISA actually add? CISA added CVE-2026-32202, a Microsoft Windows Shell protection mechan(cisa.gov)over a network, and CVE-2024-1708, a ConnectWise ScreenConnect path traversal bug that can lead to remote code execution or direct impact on sensitive systems. Both entries landed in KEV on April 28, with a May 12 remediation deadline for federal civilian agencies. (cisa.gov) ### Why does KEV change the urgency? KEV is basically CISA’s list of vulnerabilities that are not th(cisa.gov)ional Directive 22-01, federal civilian executive branch agencies have to fix listed flaws by CISA’s due date. Everyone else should read that as a loud prioritization signal, not a paperwork exercise. (cisa.gov) ### What’s the Windows bug here? The Windows entry is CVE-2026-32202. CISA describes it as a Windows Shell protection mechanism failure that allows spoofing over a net(cisa.gov)way is simpler than the taxonomy: this is a Windows component bug that attackers are already using, so defenders do not get to treat it like a routine Patch Tuesday footnote. (cisa.gov) ### Why is ScreenConnect the scarier headline? Because ScreenConnect is exactly the kind of product attackers love — remote ac(cisa.gov) and commonly used by MSPs and IT teams to reach lots of machines fast. If that admin plane gets compromised, the blast radius can be huge. CISA’s own ransomware guidance keeps stressing rapid patching of known exploited bugs in internet-facing systems for this reason. (cisa.gov) ### Isn’t the ConnectWise bug old? Yes — and that’s part of the story. C(cisa.gov)ConnectWise released fixes and CISA added the related authentication bypass bug CVE-2024-1709 to KEV almost immediately. But CVE-2024-1708 itself is now in KEV too, which tells you exploitation evidence or prioritization changed enough for CISA to elevate it now. (cisa.gov) ### What version fixes ScreenConnect? ConnectWise says p(cisa.gov)CVE-2024-1708 and CVE-2024-1709. For on-prem deployments, that’s the practical action item. If a team still has an older instance hanging around, this is not a “next maintenance window” problem. (connectwise.com) ### Who should worry first? Anyone running internet-facing ScreenConnect, especially MSPs, outsourced(cisa.gov)uidance. The catch is that KEV doesn’t mean every system is equally exposed — but it does mean attackers have already shown the path works somewhere. (cisa.gov) ### What’s the bottom line? This is a prioritization story more than a discovery story. CISA is telli(connectwise.com)ight now. If a product helps admins control other machines, any actively exploited bug in that layer deserves immediate attention. (cisa.gov)