CISA Adds Actively Exploited ConnectWise, Windows Flaws to KEV
CISA added CVE-2024-1708 (ConnectWise ScreenConnect path traversal, CVSS 8.4) and an unnamed Windows flaw to its KEV catalog based on confirmed active exploitation.
Executive Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on April 28, 2026 added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. One of the vulnerabilities, CVE-2024-1708, affects ConnectWise ScreenConnect and carries a CVSS score of 8.4. The second flaw impacts Microsoft Windows, though CISA has not yet publicly disclosed its CVE identifier. Federal civilian executive branch agencies are required to remediate both vulnerabilities by May 19, 2026 per Binding Operational Directive (BOD) 22-01.
Technical Analysis
CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect, a remote desktop and support tool widely used by managed service providers (MSPs) and IT teams. According to CISA's advisory, the flaw allows an unauthenticated attacker to traverse directories and potentially access sensitive files or execute arbitrary code on the affected server. The vulnerability was originally disclosed in early 2024, and ConnectWise released a patch in version 23.9.8. However, its addition to the KEV catalog now confirms that threat actors are actively exploiting the flaw in the wild, likely targeting unpatched instances.
The second vulnerability, affecting Microsoft Windows, has not been assigned a public CVE identifier at the time of CISA's announcement. The agency's KEV entry lists it as a Windows vulnerability under active exploitation but provides no further technical details. This opacity is unusual for CISA, which typically includes CVE IDs for all KEV additions. The lack of a public identifier may indicate that Microsoft has not yet fully disclosed the flaw, or that exploitation is occurring against a component for which a patch is still pending. CISA's directive applies equally to both entries, meaning agencies must remediate the Windows flaw even without a named CVE.
CISA's KEV catalog serves as a authoritative list of vulnerabilities known to be exploited in the wild, and BOD 22-01 mandates that federal agencies patch listed flaws within specified timelines. While the directive only applies to U.S. federal civilian agencies, CISA strongly recommends that all organizations prioritize remediation of KEV-listed vulnerabilities.
Mitigations & Recommendations
Organizations using ConnectWise ScreenConnect should immediately verify they are running version 23.9.8 or later, which contains the patch for CVE-2024-1708. For the unnamed Windows vulnerability, defenders should monitor Microsoft's security update releases and apply any relevant patches as soon as they become available. In the absence of a specific patch, organizations should implement network segmentation and restrict remote access to ScreenConnect servers where possible. CISA's KEV catalog should be reviewed regularly, and any listed vulnerabilities affecting in-scope software should be remediated within the stipulated deadlines.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
