Two high-severity vulnerabilities, a zero-click Windows Shell credential theft flaw and a legacy ConnectWise ScreenConnect path traversal bug, have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, triggering a mandatory remediation deadline for U.S. federal agencies by May 12, 2026.
Both CVE-2026-32202 and CVE-2024-1708 in KEV catalog on April 28, 2026, citing confirmed active exploitation in the wild. The dual listing reflects a rapidly shifting threat landscape where both newly discovered and long-standing vulnerabilities continue to be weaponized against enterprise environments.
Federal Civilian Executive Branch (FCEB) agencies are required under BOD 22-01 to patch or apply mitigations before the May 12, 2026, deadline.
CVE-2026-32202: Windows Shell Credential Theft
At the center of the most urgent disclosure is CVE-2026-32202, a protection mechanism failure in Microsoft Windows Shell that allows an unauthenticated remote attacker to perform network-based spoofing and, under the right conditions, steal user credentials without any visible interaction.
Assigned a CVSS score of 4.3, the vulnerability may appear modest on paper, but its real-world impact is far more severe than the score suggests. It identified CVE-2026-32202 as an incomplete patch residue, a direct byproduct of an insufficient fix for the earlier CVE-2026-21510, which was patched in February 2026.
The exploitation mechanism is technically elegant and alarming. When a victim opens a specially crafted Windows Shortcut (LNK) file, Windows Shell processes a Universal Naming Convention (UNC) path such as \\attacker.com\share\payload.cpl.
The system automatically initiates an SMB (Server Message Block) connection to the attacker-controlled server, triggering an automatic NTLM authentication handshake.
During this handshake, the victim’s system transmits a Net-NTLMv2 hash to the attacker’s server, effectively leaking hashed credentials without the user receiving any warning or prompt. These hashes can then be leveraged in NTLM relay attacks or subjected to offline cracking to recover plaintext passwords, enabling full lateral movement across a targeted network.
What makes this particularly dangerous is the zero-click vector identified “CVE-2026-32202 caused the victim to authenticate the attacker’s server without user interaction,” reported. The attack chain does not require elevated privileges or complex configurations, only network access and victim who opens a malicious file, condition easily met through phishing campaigns.
The broader attack campaign exploiting Windows Shell namespace parsing has been linked to APT28 (Fancy Bear). This Russian state-sponsored threat group leveraged related LNK-based vulnerabilities in a December 2025 campaign targeting Ukraine and European Union nations.
The group used malicious CPL objects loaded via UNC paths to bypass Microsoft Defender SmartScreen and execute attacker-controlled code.
Initially, an advisory was published for CVE-2026-32202 on April 14, 2026, with an incorrect exploitability index. On April 27, 2026, Microsoft revised its advisory to update the exploitability status, risk classification, and CVSS vector, acknowledging active exploitation in the wild. A patch was issued as part of the April 2026 Patch Tuesday update cycle.
CVE-2024-1708: ConnectWise ScreenConnect
The second vulnerability added to CISA’s KEV is CVE-2024-1708, a high-severity path traversal flaw (CWE-22) in ConnectWise ScreenConnect versions 23.9.7 and prior, carrying a CVSS score of 8.4. Originally disclosed in February 2024, its re-addition to CISA KEV in April 2026 signals renewed exploitation activity targeting unpatched or legacy installations.
Also known as the “ZipSlip” vulnerability and the second half of the notorious “SlashAndGrab” exploit chain, CVE-2024-1708 exploits inadequate path validation in ScreenConnect’s ZIP archive extraction process.
An attacker with elevated privileges can craft a malicious ZIP file with internal paths like ../../../Windows/Temp/malware, causing files to be written outside the intended directory.
Successful exploitation can enable remote code execution (RCE) or direct access to confidential data and critical systems. The danger is amplified by ScreenConnect’s widespread deployment among Managed Service Providers (MSPs) and IT support teams.
A Successful attack can cascade downstream to dozens or hundreds of client environments managed through a single ScreenConnect instance.
The full exploit chain combining CVE-2024-1708 with its critical companion CVE-2024-1709 (CVSS 10.0 authentication bypass) was previously used by North Korean threat actors to deploy a novel malware variant called TODDLERSHARK.
The path traversal flaw is detectable through suspicious file system events targeting ScreenConnect paths and manipulated file_path and file_name URL parameters.
Mitigation
Organizations must act immediately, given the active exploitation status of both CVEs. Key actions include:
- CVE-2026-32202: Apply April 2026 Patch Tuesday security updates immediately; prioritize systems where LNK file handling is common
- CVE-2024-1708: Upgrade ConnectWise ScreenConnect to version 23.9.8 or later; if patching is not feasible, discontinue use of the product per CISA BOD 22-01 guidance
- Implement SMB traffic filtering at the network perimeter to reduce NTLMv2 hash exposure via CVE-2026-32202.
- Deploy NTLM relay attack detection rules and consider enforcing SMB signing across all endpoints.
- Monitor file system events for path traversal sequences in ScreenConnect-related directories using endpoint detection tools.
- Apply network segmentation to limit lateral movement if credentials are compromised via NTLM coercion.
FCEB agencies face a hard deadline of May 12, 2026, to apply mitigations or discontinue use of affected products per CISA’s mandatory directive.
FAQ
Q1. What is CVE-2026-32202?
A protection mechanism failure in Windows Shell that lets unauthenticated attackers steal Net-NTLMv2 credential hashes via zero-click SMB authentication coercion triggered by malicious LNK files.
Q2. Is CVE-2026-32202 actively exploited in the wild?
Yes, Microsoft confirmed active exploitation on April 27, 2026, and CISA added it to the KEV catalog on April 28, 2026, with a mandatory remediation deadline of May 12, 2026.
Q3. What versions of ConnectWise ScreenConnect are affected by CVE-2024-1708?
All ConnectWise ScreenConnect versions 23.9.7 and prior are vulnerable; organizations must upgrade to version 23.9.8 or later to remediate the path traversal flaw.
Q4. Can CVE-2024-1708 be used to deploy ransomware?
Yes, the SlashAndGrab exploit chain combining CVE-2024-1708 and CVE-2024-1709 has been observed, enabling RCE on ScreenConnect servers, with threat actors including North Korean groups deploying malware and ransomware.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
