CISA Adds Windows Shell and ConnectWise ScreenConnect Flaws to KEV After Microsoft's April Patch Failed to Mark Zero-Click Bug as Exploited
CISA added CVE-2026-32202 and CVE-2024-1708 to the Known Exploited Vulnerabilities catalog on April 28, giving federal agencies until May 12 to patch a zero-click NTLM coercion flaw whose Patch Tuesday entry carried no exploitation marker.
Overview
The U.S. Cybersecurity and Infrastructure Security Agency added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on April 28, 2026, ordering Federal Civilian Executive Branch agencies to patch them by May 12. The two entries — a zero-click Windows Shell flaw tracked as CVE-2026-32202 and a two-year-old ConnectWise ScreenConnect path traversal bug tracked as CVE-2024-1708 — were added together in the same CISA alert.
The Windows entry is the more disruptive of the two for defenders. Microsoft shipped its fix two weeks earlier, on April 14, without flagging the bug as exploited, and the company’s own Patch Tuesday metadata was the primary signal most enterprises used to triage the month’s 163 fixes.
What We Know
According to the CISA alert, both CVEs are now subject to Binding Operational Directive 22-01 with a remediation deadline of May 12, 2026. The directive applies to FCEB agencies, and CISA “strongly urges all organizations to reduce their exposure” by prioritizing the same patches.
CVE-2026-32202 is described in the National Vulnerability Database as a “protection mechanism failure in Windows Shell” that “allows an unauthorized attacker to perform spoofing over a network.” NVD assigns the bug a CVSS 3.1 base score of 4.3 and classifies it under CWE-693 (Protection Mechanism Failure). The advisory lists Windows Server 2012 R2, Windows 10 builds 1607 through 22H2, and every supported Windows 11 release from 23H2 through 26H1 as affected.
CVE-2024-1708 is the second of two ScreenConnect bugs that ConnectWise patched in February 2024 and that have circulated in attack toolchains ever since. The CISA catalog entry classifies it as a path traversal weakness (CWE-22) in ConnectWise ScreenConnect 23.9.7 and earlier, fixed in 23.9.8.
The Incomplete Patch
The Windows Shell bug exists because Microsoft’s earlier fix for CVE-2026-21510, shipped in February 2026, only partially closed the attack path. Akamai researchers, who reported the gap, told SecurityWeek that the original patch enforced SmartScreen verification on shortcut files but “the victim machine was still authenticating to the attacker’s server” before that check ran.
In practice, SecurityWeek reports, opening a folder that contains a malicious LNK file is enough to trigger the attack: Windows Explorer requests an icon from a UNC path embedded in the shortcut, which opens an SMB connection to the attacker’s server. That connection “triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks.” No double-click or warning dialog is required — the user only has to view the directory.
SecurityWeek attributes the original CVE-2026-21510 exploitation to the Russia-linked APT28 group, also known as Fancy Bear, which used weaponized LNK files in December 2025 attacks against Ukraine and EU countries — chaining CVE-2026-21510 with CVE-2026-21513 to bypass Windows security features.
A Missing Exploitation Flag
What sets this case apart is the gap between Microsoft’s release notes and the catalog entry. Microsoft pushed the CVE-2026-32202 fix as part of its April 14 Patch Tuesday rollout but did not initially mark it as exploited in the wild — which, in most enterprise patch-management workflows, is the trigger that elevates a CVE from routine to emergency. The Machine Herald reported earlier that April’s release shipped 163 fixes, with attention focused on a separately flagged SharePoint spoofing bug and a publicly disclosed Defender escalation issue. CVE-2026-32202 was not on that exploited-in-the-wild list at release.
The CISA alert reverses that signal: inclusion in the KEV catalog requires evidence of active exploitation, and the May 12 deadline gives FCEB agencies 14 days to apply a patch that has been available for more than two weeks. Organizations that triaged the April rollout based on Microsoft’s exploitation flags alone may have deferred the fix.
The ConnectWise Bug Is Older Than CISA’s Catalog Treatment
The second KEV addition, CVE-2024-1708, is a Zip Slip-style path traversal in ScreenConnect’s extension handling. According to the CISA alert, the flaw allows attackers to “manipulate file paths” and deposit files outside the intended extension directory, including web shells in the application root. ConnectWise patched the vulnerability in ScreenConnect 23.9.8 in February 2024.
The bug was publicly known and patched more than two years before this week’s KEV addition. Its inclusion now suggests CISA has fresh telemetry showing exploitation against unpatched instances — a population that, given the age of the fix, is by definition running software that has gone two years without an update to a remote-access tool.
What We Don’t Know
Neither the CISA alert nor the NVD entry names the specific threat actor behind the in-the-wild exploitation of CVE-2026-32202 that triggered the catalog addition. CISA’s KEV listings do not require attribution, and Microsoft has not, as of publication, updated its public advisory to identify the operators or campaigns it observed.
The agency also has not disclosed the volume of unpatched ScreenConnect 23.9.7-and-earlier instances reachable from the public internet, or the sectors targeted in the recent CVE-2024-1708 activity. The KEV listing alone does not include exploitation telemetry.
For enterprises, the practical question is whether to treat the absence of an “exploited” flag in future Microsoft Patch Tuesday releases as authoritative. The April 14 release shows that the flag can lag CISA’s catalog by two weeks — a gap long enough for active campaigns to run before defenders are formally on notice.