On April 28, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. These additions, CVE-2024-1708 affecting ConnectWise ScreenConnect and CVE-2026-32202 affecting Microsoft Windows, are based on evidence of active exploitation in the wild.
For defenders, this is not a drill. The presence in the KEV Catalog signals that malicious cyber actors are already using these flaws to gain initial access or move laterally within federal and civilian networks. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by the specified due dates. However, the risk extends far beyond the federal government—private sector organizations relying on remote management software or Windows infrastructure are equally in the crosshairs.
Technical Analysis
CVE-2024-1708: ConnectWise ScreenConnect Path Traversal
ConnectWise ScreenConnect (now ConnectWise Control) is a widely used remote support and access solution.
- Affected Product: ConnectWise ScreenConnect versions prior to 23.9.7 (and potentially legacy versions).
- Vulnerability Type: Path Traversal (CWE-22).
- Impact: Remote Code Execution (RCE).
How it works: The vulnerability allows an unauthenticated attacker to perform a path traversal attack via a specific HTTP request. By exploiting this flaw, an attacker can write malicious files (typically a webshell, such as Shell.aspx) to the web server's root directory. Once written, the attacker can execute arbitrary code under the context of the ScreenConnect service, which often runs with elevated SYSTEM privileges. This CVE is frequently chained with authentication bypass vulnerabilities (like CVE-2024-1709) to achieve full compromise without user interaction.
CVE-2026-32202: Microsoft Windows Protection Mechanism Failure
- Affected Product: Microsoft Windows (widely deployed across supported versions).
- Vulnerability Type: Protection Mechanism Failure (CWE-693).
- Impact: Security Bypass / Privilege Escalation.
How it works: This vulnerability represents a failure in the OS's core security controls, allowing an attacker to bypass intended protection mechanisms. While specific technical details are emerging to prevent further copycat attacks, failures of this nature typically allow malicious code to circumvent Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), or Control Flow Guard (CFG). This effectively turns a memory corruption vulnerability (which might otherwise just crash the application) into a reliable exploit for Remote Code Execution.
Detection & Response
Defenders must assume that initial scanning or exploitation attempts are already occurring. The following detection rules and hunt queries are designed to identify the immediate aftermath of exploitation for these specific CVEs.
Sigma Rules
---
title: ConnectWise ScreenConnect Webshell Creation
id: 9c2e8b1a-3d4f-4a5e-9b6c-1d2e3f4a5b6c
status: experimental
description: Detects the creation of suspicious .aspx files in the ConnectWise ScreenConnect web directory, a common indicator of CVE-2024-1708 exploitation.
references:
- https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/29
tags:
- attack.initial_access
- attack.t1505.003
logsource:
category: file_creation
product: windows
detection:
selection:
TargetFilename|contains:
- '\Program Files (x86)\ScreenConnect\App_Web\'
- '\Program Files\ScreenConnect\App_Web\'
TargetFilename|endswith:
- '.aspx'
- '.ashx'
condition: selection
falsepositives:
- Legitimate administrative updates by vendor
level: critical
---
title: ConnectWise ScreenConnect Process Spawning Shell
id: 8b1e9c2a-4e5f-5b6a-0c1d-2e3f4a5b6c7d
status: experimental
description: Detects the ScreenConnect service spawning cmd.exe or powershell.exe, indicative of successful RCE via CVE-2024-1708.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/29
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains:
- 'ScreenConnect.ClientService'
- 'ScreenConnect.Service'
- 'ConnectWise.Control'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: all of selection_*
falsepositives:
- Legitimate administrative scripting by support staff
level: high
---
title: Windows Protection Mechanism Bypass - Suspicious Kernel Object Access
id: 7d0e8b1a-5f6e-6c7b-1d2e-3f4a5b6c7d8e
status: experimental
description: Detects potential exploitation of CVE-2026-32202 via unusual process access patterns often associated with bypassing ASLR/DEP protections.
references:
- https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/29
tags:
- attack.defense_evasion
- attack.t1055.001
logsource:
category: process_access
product: windows
detection:
selection:
CallTrace|contains:
- 'ntdll.dll'
- 'kernel32.dll'
GrantedAccess|contains:
- 'PROCESS_VM_WRITE'
- 'PROCESS_VM_OPERATION'
SourceImage|endswith:
- '\unknown.exe'
- '\temp\'
filter:
SourceImage|contains:
- 'Program Files'
- 'Program Files (x86)'
condition: selection and not filter
falsepositives:
- Legitimate debuggers
level: medium
KQL (Microsoft Sentinel)
// Hunt for ConnectWise ScreenConnect exploitation indicators
// Looks for webshell drops and suspicious child processes
let ScreenConnectPaths = dynamic(["C:\\Program Files\\ScreenConnect", "C:\\Program Files (x86)\\ScreenConnect"]);
DeviceProcessEvents
| where (FolderPath in~ ScreenConnectPaths or InitiatingProcessFolderPath in~ ScreenConnectPaths)
| where ProcessVersionInfoInternalFileName in~("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine
| order by Timestamp desc
Velociraptor VQL
-- Hunt for ConnectWise ScreenConnect webshells (CVE-2024-1708)
-- Looks for recently created .aspx or .ashx files in App_Web directories
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs="*/App_Web/**/*.aspx", root="C:/")
WHERE Mtime > now() - 7d
OR Size < 50KB
-- Hunt for suspicious child processes of ScreenConnect
SELECT Pid, Name, Exe, CommandLine, Parent.Pid AS ParentPid, Parent.Name AS ParentName, CreateTime
FROM pslist()
WHERE Parent.Name =~ "ScreenConnect"
AND Name =~ "cmd|powershell|pwsh"
Remediation Script (PowerShell)
# Remediation Script for CVE-2024-1708
# Checks ScreenConnect version and hunts for known webshell artifacts
Write-Host "[+] Checking ConnectWise ScreenConnect Version..." -ForegroundColor Cyan
# Define registry paths for version info
$regPaths = @(
"HKLM:\SOFTWARE\Wow6432Node\ScreenConnect",
"HKLM:\SOFTWARE\ScreenConnect"
)
$installedVersion = $null
foreach ($path in $regPaths) {
if (Test-Path $path) {
$installedVersion = (Get-ItemProperty -Path $path -ErrorAction SilentlyContinue)."Version"
if ($installedVersion) {
Write-Host "[!] Detected ScreenConnect Version: $installedVersion" -ForegroundColor Yellow
}
}
}
# Check for vulnerable versions (Simplified logic for 23.9.8+)
# Logic: Versions below 23.9.7 are vulnerable
if ($installedVersion) {
$parts = $installedVersion.Split('.')
$major = [int]$parts[0]
$minor = [int]$parts[1]
$patch = [int]$parts[2]
if ($major -lt 23 -or ($major -eq 23 -and $minor -lt 9) -or ($major -eq 23 -and $minor -eq 9 -and $patch -lt 8)) {
Write-Host "[CRITICAL] Vulnerable version detected. Patch to 23.9.8 or higher immediately." -ForegroundColor Red
} else {
Write-Host "[OK] Version appears patched." -ForegroundColor Green
}
}
# IOCs for CVE-2024-1708 Webshells
$webshellPaths = @(
"C:\Program Files\ScreenConnect\App_Web\Shell.aspx",
"C:\Program Files\ScreenConnect\App_Web\Upload.aspx",
"C:\Program Files\ScreenConnect\App_Web\bin\ScreenConnect.Client.dll",
"C:\Program Files (x86)\ScreenConnect\App_Web\Shell.aspx"
)
Write-Host "[+] Scanning for known webshell artifacts..." -ForegroundColor Cyan
$foundThreat = $false
foreach ($path in $webshellPaths) {
if (Test-Path $path) {
Write-Host "[!!!] POTENTIAL WEBSHELL FOUND AT: $path" -ForegroundColor Red
$foundThreat = $true
# Optional: Remove file (CAUTION)
# Remove-Item -Path $path -Force
}
}
if (-not $foundThreat) {
Write-Host "[OK] No common webshell artifacts found." -ForegroundColor Green
}
Remediation
CVE-2024-1708 (ConnectWise ScreenConnect)
- Patch Immediately: Update to ScreenConnect version 23.9.8 or later.
- Official Advisory: ConnectWise Security Advisory
- Workarounds: If patching is delayed immediately, restrict access to the ScreenConnect web interface to specific management IP ranges via firewall rules. Disable the service if not in active use.
- CISA Due Date: May 19, 2026 (per BOD 22-01).
CVE-2026-32202 (Microsoft Windows)
- Patch Immediately: Apply the latest security updates from Microsoft for your specific Windows version (updates released in the April 2026 Patch Tuesday cycle).
- Official Advisory: Microsoft Security Update Guide
- Workarounds: There are no practical workarounds for protection mechanism failures other than patching. Ensure Attack Surface Reduction (ASR) rules and other EDR controls are enabled to mitigate potential exploitation chains.
- CISA Due Date: May 19, 2026 (per BOD 22-01).
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.