CISA Sounds the Alarm: State-Sponsored Hackers Weaponize New Windows and ScreenConnect Flaws

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog, adding two high-stakes flaws that are currently being weaponized by state-sponsored threat actors from North Korea and Russia. These vulnerabilities represent significant risks to both government and corporate networks, as attackers pivot from initial access to long-term espionage.

The first major threat involves a path-traversal vulnerability in ConnectWise ScreenConnect (CVE-2024-1708), carrying a CVSS score of 8.4. This flaw allows attackers to bypass security boundaries, potentially leading to remote code execution or the compromise of critical systems.

The North Korean state-sponsored group Kimsuky (also known as Thallium or Velvet Chollima) was actively exploiting this flaw. Kimsuky used the vulnerability to deploy a new, polymorphic malware variant named ToddlerShark.

ToddlerShark is designed for long-term intelligence gathering. It uses legitimate Microsoft binaries to evade detection, modifies registries to lower security defenses, and establishes persistence through scheduled tasks.

ConnectWise has urged all users to upgrade their servers to version 23.9.8 or later immediately to mitigate these risks.

The second addition to the KEV catalog is a protection mechanism failure in Windows Shell (CVE-2026-32202), which Microsoft recently confirmed is under active exploitation. While originally given a lower CVSS score, this spoofing vulnerability allows unauthorized attackers to access sensitive information over a network.

Researchers found that this bug actually stems from an incomplete patch for a previous vulnerability (CVE-2026-21510).

The Russian nation-state group APT28 (aka Fancy Bear) has been weaponizing this class of vulnerability. They often pair Windows Shell flaws with MSHTML Framework vulnerabilities to create a potent exploit chain.

Due to the active nature of these attacks, Federal Civilian Executive Branch (FCEB) agencies have been ordered to remediate this flaw by May 12, 2026.