The Cybersecurity and Infrastructure Safety Company added two main software program flaws to its Recognized Exploited Vulnerabilities (KEV) catalog on Tuesday, acknowledging the proof that hackers have been utilizing the bugs in latest assaults.
CISA added CVE-2024-1708, a high-severity flaw in ConnectWise’s ScreenConnect remote-access device, and CVE-2026-32202, a medium-severity flaw within the Home windows Shell person interface, to its KEV catalog. Federal businesses have till Could 12 to patch the 2 bugs.
The ScreenConnect path-traversal vulnerability might enable a hacker to remotely execute code or tamper with delicate information, whereas the Home windows vulnerability, the results of a faulty safety mechanism, might enable attackers to impersonate legit customers.
CISA’s addition of the Home windows vulnerability got here in the future after Microsoft confirmed that hackers had been exploiting the flaw.
CVE-2026-32202 is the results of an incomplete patch for a previous Home windows Shell vulnerability, CVE-2026-21510, which the Russia-linked hacking group APT28 utilized in a cyberattack campaign towards Ukraine and different European nations in December, Akamai said last week.
The ConnectWise vulnerability, CVE-2024-1708, has featured in a number of cyberattacks over the previous few years, together with a North Korea–linked campaign and ransomware attacks by China-linked cybercriminals. Hackers have been pairing CVE-2024-1708 with one other high-severity ConnectWise flaw, CVE-2024-1709, to bypass the remote-access software program’s authentication mechanisms.