CISA has added two vulnerabilities to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation — CVE-2024-1708, a ConnectWise ScreenConnect path traversal vulnerability, and CVE-2026-32202, a Microsoft Windows protection mechanism failure vulnerability.
CVE-2024-1708 — ConnectWise ScreenConnect Path Traversal
ConnectWise ScreenConnect 23.9.7 and prior versions are affected by a path traversal vulnerability that may allow an attacker to execute remote code or directly impact confidential data or critical systems.
CVE-2024-1708 is widely known as the second half of the “SlashAndGrab” exploit chain. While CVE-2024-1709 allows attackers to bypass authentication, CVE-2024-1708 is the mechanism that delivers the payload — it allows an attacker to overwrite critical files on the server, leading to full Remote Code Execution. It is specifically a “Zip Slip” flaw within the ScreenConnect extension handling mechanism where the server extracts zip contents without checking for dot-dot-slash sequences, enabling writes to arbitrary file system locations.
In early 2024, security flaws in ConnectWise ScreenConnect were exploited by both cybercrime and nation-state threat actors — including those from China, North Korea, and Russia — to deliver a variety of malicious payloads.
What makes this KEV addition notable in April 2026 is its age. CVE-2024-1708 was disclosed in February 2024. Its reappearance in the active exploitation signal indicates continued targeting of unpatched self-hosted ScreenConnect deployments — the long tail of RMT tool exposure that never fully closes.
Remediation: Update on-premise ScreenConnect to version 23.9.8 or later. If exploitation evidence is found — unknown admin accounts, abnormal session history, webshell behavior — do not just patch. Rebuild from a known clean backup to ensure no backdoors remain.
CVE-2026-32202 — Microsoft Windows Protection Mechanism Failure
CVE-2026-32202 affects Microsoft Windows and is described as a protection mechanism failure vulnerability. Public vulnerability records describe the potential impact as including remote code execution or direct impact to confidential data and critical systems.
Full technical details on exploitation mechanics remain limited at time of reporting. The KEV listing confirms active in-the-wild exploitation, making emergency patching the required posture regardless of exposure assessment.
Remediation: Apply Microsoft patches per vendor instructions in line with BOD 22-01 guidance.
Remediation Deadlines
Federal Civilian Executive Branch agencies are subject to mandatory remediation timelines under Binding Operational Directive 22-01. All other organizations are strongly urged to treat KEV catalog additions as urgent prioritization signals in their vulnerability management programs.
Very nice.