Two vulnerabilities — one in ConnectWise ScreenConnect, another in Microsoft Windows — are now officially being exploited in the wild, and CISA has added them to its Known Exploited Vulnerabilities (KEV) catalog as of April 29, 2026. This isn’t speculative. It’s not a theoretical risk. Attackers are already using these flaws to breach systems. The update means federal agencies have until May 20, 2026, to patch, but the warning applies just as urgently to every organization running these tools.
Key Takeaways
- CVE-2024-1708, a path traversal flaw in ConnectWise ScreenConnect, has been actively exploited and now sits in CISA’s KEV catalog with a CVSS score of 8.4.
- A second Windows vulnerability, though not fully detailed in the public update, is also under active attack and now subject to federal patching mandates.
- Inclusion in the KEV catalog means exploitation is confirmed, not suspected — a critical distinction for incident responders.
- Organizations have 21 days from April 29, 2026, to remediate or risk non-compliance with binding CISA directives.
- ConnectWise ScreenConnect is widely used in managed service provider (MSP) environments, increasing blast radius if left unpatched.
The KEV Catalog Isn’t a Suggestion — It’s a Red Flag
CISA doesn’t toss vulnerabilities into the KEV catalog on a hunch. Each entry requires evidence of active exploitation. That threshold has now been met for both CVE-2024-1708 and the unnamed Windows flaw. The catalog isn’t just a reference list. It’s a legally enforceable directive for federal agencies. But it’s also a flashing neon sign for every security team in the private sector: this is happening right now.
The inclusion on April 29, 2026, means someone, somewhere, is already inside networks using these bugs. Maybe they’re stealing data. Maybe they’re establishing persistence. Maybe they’re moving laterally toward something worse. What’s certain is that the window between detection and widespread compromise is shrinking.
This isn’t the first time ConnectWise has shown up in KEV. That’s what makes this so frustrating. The company’s remote access tools have been a repeated target. The same goes for Windows components that expose attack surfaces through legacy code or overly permissive defaults. These aren’t zero-day surprises. They’re the same categories of flaws we’ve seen for years — and yet, they keep getting exploited.
CVE-2024-1708: Path Traversal in ScreenConnect
The most detailed of the two is CVE-2024-1708. It’s a path traversal vulnerability in ConnectWise ScreenConnect, the remote support platform used by thousands of MSPs to manage client systems. A CVSS score of 8.4 places it firmly in the “high severity” range — disruptive, but not catastrophic on its own. But in context? It’s a backdoor into entire client networks.
Here’s how it likely works: an attacker sends a specially crafted request that manipulates file path inputs, allowing them to read or write files outside the intended directory. In a remote access tool, that’s like handing someone a skeleton key to your server room. If authentication is weak or misconfigured, the attacker doesn’t need credentials — they just walk in.
ScreenConnect is particularly dangerous in this context because it’s designed to have broad access. It runs with elevated privileges. It bypasses firewalls. It’s trusted by endpoint protection tools. Once compromised, it becomes a pivot point. That’s why attackers love it. That’s why CISA is acting.
Why Path Traversal Still Matters in 2026
You’d think we’d have fixed path traversal by now. It’s not exactly a new bug class. It’s been around since the 1990s. And yet, here we are — 2026 — and it’s still getting companies owned.
The reason? Complexity. Apps like ScreenConnect handle file operations, session logs, and plugin integrations across multiple directories. When input validation is skipped or inconsistently applied, a single malformed string can jump from /var/log to /etc/passwd. Developers assume the OS or framework will block it. It doesn’t. Or they trust user input because it’s “internal.” It isn’t.
What’s more, ScreenConnect environments are often shared across clients. A single unpatched instance doesn’t just risk one network — it risks dozens. That’s the MSP multiplier effect. One flaw, hundreds of victims.
Windows Joins the List — Again
The second flaw targets Microsoft Windows, though CISA hasn’t released technical details beyond confirming active exploitation. That’s standard — they often withhold specifics to avoid tipping off attackers who aren’t already using it. But the pattern is familiar. Windows components, especially those exposed to networks or user interaction, are perennial targets.
Given the timing and the KEV update, it’s likely a privilege escalation or remote code execution flaw. Maybe in a service, maybe in the kernel. Whatever it is, it’s being used. And that means unpatched Windows systems — especially servers or workstations with internet-facing services — are now at higher risk.
Microsoft typically patches these in monthly updates. If this flaw hasn’t been fixed yet, it could be waiting for Patch Tuesday. If it has, then the real issue is adoption. Because we know the problem isn’t always the patch — it’s whether anyone applies it.
The 21-Day Clock Starts Now
CISA mandates that federal agencies remediate KEV-listed flaws within 21 days of publication. That clock started ticking on April 29, 2026. The deadline is May 20, 2026. Failure to comply can trigger oversight from the Office of Management and Budget (OMB). But again, this isn’t just about federal IT. It’s about every team that uses these products.
Consider this: the average enterprise takes 68 days to patch critical vulnerabilities, according to prior CISA data. That’s more than three times longer than the KEV window. In that gap, attackers do their work. They probe. They exploit. They exfiltrate.
And let’s be clear — attackers are monitoring the KEV list too. When CISA adds a flaw, it’s like ringing a dinner bell. Suddenly, every script kiddie and APT group knows where to look. The window of maximum risk opens the moment the announcement drops.
- CVE-2024-1708 affects ConnectWise ScreenConnect instances with unpatched versions.
- Attackers can achieve remote file read/write via crafted HTTP requests.
- KEV inclusion confirms real-world exploitation, not theoretical risk.
- Federal patching deadline: May 20, 2026.
- Windows flaw details remain under disclosure control, but exploitation is confirmed.
ConnectWise’s History Isn’t Helping
Let’s not pretend this is the first time ConnectWise has been on CISA’s radar. In 2023, another ScreenConnect flaw — CVE-2023-26035 — was added to KEV after widespread exploitation by ransomware groups. That one was also a path traversal bug. Same category. Same impact. Now, two years later, we’re repeating the cycle.
That’s not just bad luck. That’s a pattern. And it raises real questions about how ConnectWise handles security in its development lifecycle. Are they conducting threat modeling? Are they fuzzing inputs? Are they applying secure coding standards across the board?
It’s not that ScreenConnect is inherently flawed. It’s a powerful tool. But with power comes attack surface. And when a product is used by MSPs to access hundreds of client networks, the bar for security has to be extremely high. Repeated KEV entries suggest that bar isn’t being met.
And yes, organizations have a responsibility to patch. But vendors have a responsibility to ship secure code. One without the other doesn’t work.
What This Means For You
If you run ConnectWise ScreenConnect, check your version now. If it’s not patched against CVE-2024-1708, you’re exposed. Assume exploitation is happening. Assume attackers are already scanning for unpatched instances. Update immediately. Restrict network access. Enforce MFA. Treat every ScreenConnect endpoint like a crown jewel — because in an MSP environment, it is.
For Windows, review your patching cadence. If you’re waiting for a change freeze or a maintenance window, reconsider. The KEV list means the exploit is public, active, and likely spreading. If there’s no patch yet, monitor for IOCs and restrict vulnerable services. If there is a patch, deploy it yesterday. This isn’t a “when convenient” situation. It’s a “right now” one.
And if you’re a developer building remote access tools, take note: path traversal isn’t a beginner mistake you grow out of. It’s a fundamental failure in input validation. Every file path operation needs sanitization. Every directory traversal attempt needs logging. Every user input needs skepticism. Because when your tool gets added to KEV, it’s not just a bug report — it’s a public indictment.
How many times do we have to see the same flaw, in the same type of software, exploited at scale before we treat input validation like oxygen?
Sources: The Hacker News, original report
