HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

CISA Flags Windows Shell Spoofing and ConnectWise ScreenConnect Path‑Traversal as Known Exploited Vulnerabilities

CISA added CVE‑2026‑32202 (Windows Shell spoofing) and CVE‑2024‑02‑21 (ConnectWise ScreenConnect path‑traversal) to its KEV catalog, mandating remediation by May 12 2026. The flaws enable remote code execution or unauthorized file access, posing a high‑impact risk for third‑party risk managers.

LiveThreat™ Intelligence · 📅 April 29, 2026· 📰 securityaffairs.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

CISA Adds Windows Shell Spoofing and ConnectWise ScreenConnect Path‑Traversal to KEV Catalog

What Happened — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two actively‑exploited flaws—CVE‑2026‑32202 (Windows Shell spoofing) and CVE‑2024‑02‑21 (ConnectWise ScreenConnect path‑traversal)—to its Known Exploited Vulnerabilities (KEV) catalog. Both vulnerabilities are confirmed in the wild and carry CVSS scores of 4.3 and 8.4 respectively.

Why It Matters for TPRM

  • Federal directive BOD 22‑01 now mandates remediation by May 12 2026, creating a hard deadline for any third‑party that supplies or relies on the affected products.
  • Exploitation can lead to remote code execution or unauthorized file access, exposing confidential data and critical business systems.
  • Many managed‑service providers, SaaS platforms, and enterprise endpoints run Windows or use ConnectWise ScreenConnect, expanding the attack surface across supply chains.

Who Is Affected

  • Enterprises across all sectors that deploy Microsoft Windows operating systems.
  • Organizations using ConnectWise ScreenConnect for remote support or remote‑desktop services (MSPs, MSSPs, internal IT teams).

Recommended Actions

  • Verify version inventories for Windows OS and ConnectWise ScreenConnect; prioritize patching for versions 23.9.7 or earlier.
  • Apply Microsoft’s security update for CVE‑2026‑32202 and the ConnectWise advisory for CVE‑2024‑02‑21 immediately.
  • Review contractual clauses with vendors to ensure they meet CISA’s remediation deadline.
  • Update vulnerability‑management policies to flag any KEV‑listed items as high‑priority.

Technical Notes

  • Attack Vector: Path‑traversal in ScreenConnect allows attackers to read/write arbitrary files; Windows Shell flaw enables network‑based content spoofing, potentially leading to credential theft or RCE.
  • CVEs: CVE‑2024‑02‑21 (CVSS 8.4) – ConnectWise ScreenConnect Path Traversal; CVE‑2026‑32202 (CVSS 4.3) – Windows Shell Spoofing.
  • Data Types at Risk: System files, configuration files, credential stores, and any data accessible through compromised processes.

Source: SecurityAffairs article

📰 Original Source
https://securityaffairs.com/191442/security/u-s-cisa-adds-microsoft-windows-shell-and-connectwise-screenconnect-flaws-to-its-known-exploited-vulnerabilities-catalog.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →