CISA KEV: Windows and ScreenConnect Added to List of Exploited Vulnerabilities

CISA adds CVE-2024-1708 and CVE-2026-32202 to the KEV catalog. Russian APT28 and Chinese Storm-1175 leverage these flaws for espionage and ransomware.

CISA KEV: Windows and ScreenConnect Added to List of Exploited Vulnerabilities

CISA's Known Exploited Vulnerabilities (KEV) catalog has been updated with two new entries that tell very different stories of the global cyber landscape. On Tuesday, April 28, 2026, the U.S. agency added two actively exploited vulnerabilities: one involves ConnectWise ScreenConnect, the other Microsoft Windows Shell. Behind these technical identifiers lies a confrontation between Russian state actors and Chinese criminal groups operating with different goals and methods.

The two vulnerabilities added to the KEV catalog

The first vulnerability, CVE-2024-1708, affects ConnectWise ScreenConnect with a CVSS score of 8.4. It is a path traversal flaw that was patched in February 2024. Despite the patch being available for over two years, the bug continues to be actively exploited: according to Microsoft, attacks leveraging CVE-2024-1708 have been linked to a China-based threat actor tracked as Storm-1175 in attacks distributing Medusa ransomware.

The second vulnerability, CVE-2026-32202, affects Microsoft Windows Shell with a CVSS score of 4.3, patched in April 2026. The peculiarity of this flaw lies in its origin: it stems from an incomplete patch for CVE-2026-21510. Akamai explained that the vulnerability arises precisely from this partial intervention by Microsoft.

The Russian track: APT28 and incomplete patches

According to Akamai, the exploitation of vulnerabilities CVE-2026-21510 and CVE-2026-21513 is attributable to the Russian group APT28 (also known as Fancy Bear or Sofacy) since early December 2025. The primary targets of this campaign are located in Ukraine and the European Union. The link between these CVEs and the new CVE-2026-32202 is direct: the latter was born specifically from the incomplete attempt to fix the original bug.

Microsoft has not revealed the nature of the attacks exploiting the Windows Shell vulnerability, but the context suggests espionage and cyber warfare purposes consistent with APT28's modus operandi. This is a recurring pattern in the threat landscape: state actors often target already known flaws or partial fixes to maintain access to strategic systems.

The Chinese track: Storm-1175 and Medusa ransomware

On the other side of the threat spectrum is Storm-1175, a China-based group that exploited CVE-2024-1708 to distribute Medusa ransomware in early April 2026. The campaign was documented by Microsoft, which tracked the operations of this threat actor.

The difference in approach is clear: while APT28 pursues geopolitical and intelligence objectives, Storm-1175 operates with criminal and lucrative goals. ScreenConnect, a remote access software widely used in corporate infrastructures, represents an ideal target for ransomware distribution due to its capacity for privileged system access.

The CVE-2024-1708 vulnerability is chained with CVE-2024-1709, which reaches a maximum CVSS score of 10.0. The combination of the two flaws significantly increases the risk for organizations that have not applied the patches released over two years ago.

Deadlines and obligations for federal agencies

With the inclusion in the KEV catalog, Federal Civilian Executive Branch (FCEB) agencies have a specific deadline to take action. Remediation of the vulnerabilities is mandatory by May 12, 2026. The directive applies to all entities within the U.S. federal civilian executive branch.

For private organizations, inclusion in the KEV serves as a warning signal: the presence of concrete evidence of active exploitation elevates the priority of these bugs over the thousands of theoretical vulnerabilities that emerge every month. The KEV catalog acts as an operational compass for security teams, indicating where to concentrate mitigation resources.

The dual face of modern threats

The joint addition of these two vulnerabilities to the KEV catalog offers a representative snapshot of the current cyber landscape. On one hand, Russian state actors exploit flaws derived from incomplete remediation efforts to pursue espionage objectives in a context of active geopolitical conflict. On the other, Chinese criminal groups exploit long-known vulnerabilities to distribute ransomware and generate illicit profits.

The convergence of these two tracks in the same KEV update underscores how organizations must prepare to face threats with different motivations and techniques, but which are equally damaging. Protection requires both speed in applying patches and the ability to detect attacks that may exploit seemingly resolved flaws.

Frequently Asked Questions

What is the CISA KEV catalog?
The Known Exploited Vulnerabilities Catalog is a list maintained by CISA that collects software vulnerabilities for which there is concrete evidence of active exploitation. Inclusion in the catalog triggers remediation obligations for U.S. federal agencies.
What is the difference between APT28 and Storm-1175?
APT28 is a Russian state actor group associated with espionage and cyber warfare operations, while Storm-1175 is a China-based group that operates with criminal intent, primarily for ransomware distribution.
Why is CVE-2024-1708 still dangerous in 2026?
Despite the patch being available since February 2024, many organizations have not applied the fix, allowing Storm-1175 to continue exploiting the vulnerability to distribute Medusa ransomware as recently as April 2026.

This article is a summary based exclusively on the sources listed.

Sources