Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities are listed below - CVE-2024-1708 (CVSS score: 8.4) - A path traversal vulnerability in ConnectWise ScreenConnect
Analysis Summary
# Vulnerability: Path Traversal in ConnectWise ScreenConnect
## CVE Details
- **CVE ID:** CVE-2024-1708
- **CVSS Score:** 8.4 (High)
- **CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / Path Traversal)
## Affected Systems
- **Products:** ConnectWise ScreenConnect (on-premise versions)
- **Versions:** All versions prior to 23.9.8
- **Configurations:** This flaw primarily affects self-hosted/on-point installations that have not applied early 2024 updates.
## Vulnerability Description
CVE-2024-1708 is a path traversal vulnerability that allows an attacker to access files and directories stored outside the intended web root folder. By manipulating file paths, an attacker can read sensitive configuration files or upload malicious files to locations where they may be executed. This flaw is often chained with **CVE-2024-1709** (an authentication bypass) to achieve full Remote Code Execution (RCE).
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV catalog)
- **Complexity:** Low
- **Attack Vector:** Network
- **Note:** Actively utilized by threat actors, including **Storm-1175**, to deploy Medusa ransomware and used by APT groups for initial access.
## Impact
- **Confidentiality:** High (Access to sensitive data/system files)
- **Integrity:** High (Ability to overwrite or create files)
- **Availability:** High (Potential for full system takeover and ransomware deployment)
## Remediation
### Patches
- **ConnectWise ScreenConnect version 23.9.8** and higher contains the fix for this flaw (released February 2024).
### Workarounds
- No official workarounds are recommended other than immediate patching.
- Restrict access to ScreenConnect management interfaces via VPN or IP whitelisting to reduce the attack surface.
## Detection
- **Indicators of Compromise:** Look for unusual file creations in the ScreenConnect directory, specifically unexpected `.aspx` or `.ashx` files.
- **Detection methods and tools:** Monitor web server logs for requests containing traversal sequences (e.g., `../`, `..%2f`) targeting the ScreenConnect application.
## References
- ConnectWise Security Bulletin: [https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8]
- CISA KEV Catalog: [https://www.cisa.gov/known-exploited-vulnerabilities-catalog]
***
# Vulnerability: Windows Shell Protection Mechanism Failure
## CVE Details
- **CVE ID:** CVE-2026-32202
- **CVSS Score:** 4.3 (Medium)
- **CWE:** Protection Mechanism Failure (Incomplete Patch)
## Affected Systems
- **Products:** Microsoft Windows
- **Versions:** Various versions of Windows 10, Windows 11, and Windows Server.
- **Configurations:** Systems where the Windows Shell is reachable via network vectors.
## Vulnerability Description
This vulnerability involves a protection mechanism failure within the Windows Shell. According to security researchers (Akamai), this flaw is the result of an "incomplete patch" for a previous vulnerability (CVE-2026-21510). It allows an unauthorized attacker to perform spoofing attacks over the network.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV catalog)
- **Complexity:** Medium
- **Attack Vector:** Network
- **Note:** Linked to Russian threat actor **APT28** (Fancy Bear) in campaigns targeting Ukraine and European Union countries.
## Impact
- **Confidentiality:** Low
- **Integrity:** Medium (Spoofing/Manipulation of data)
- **Availability:** Low
## Remediation
### Patches
- **Microsoft April 2026 Security Update:** Apply the latest cumulative updates for your specific Windows version.
### Workarounds
- None specified; administrative priority should be the application of the April 2026 patch.
## Detection
- **Indicators of Compromise:** Monitor for network activities associated with APT28 toolsets.
- **Detection methods and tools:** Utilize EDR and NDR tools to identify unauthorized connection attempts or spoofed network traffic originating from Windows Shell processes.
## References
- Microsoft Advisory: [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202]
- CISA News Release: [https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog]