CISA KEV Adds Marimo RCE, ScreenConnect Path Traversal, and Windows Spoofing Flaws
CISA updated its Known Exploited Vulnerabilities catalog to add three vulnerabilities now tracked as actively exploited: CVE-2026-39987 in Marimo, CVE-2024-1708 in ConnectWise ScreenConnect, and CVE-2026-32202 in Microsoft Windows. The Marimo issue was added in a catalog update that raised the total count to 1,579 entries, while a later update increased the catalog to 1,585 entries and included the ScreenConnect and Windows flaws.
CISA described CVE-2026-39987 as an unauthenticated remote code execution vulnerability that can provide shell access and allow arbitrary system command execution before authorization, mapped to CWE-306. CVE-2024-1708 was listed as a ScreenConnect path traversal flaw that could enable remote code execution or directly affect confidential data and critical systems, and CVE-2026-32202 was identified as a Windows Shell protection mechanism failure that allows network spoofing by an unauthorized attacker. CISA directed organizations to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable; remediation deadlines were set for 2026-05-07 for Marimo and 2026-05-12 for the ScreenConnect and Windows entries.
Timeline
Apr 28, 2026
CISA adds ScreenConnect and Windows flaws to KEV
CISA updated the KEV catalog on 2026-04-28, raising the total number of listed vulnerabilities from 1,583 to 1,585. The newly added entries were CVE-2024-1708 in ConnectWise ScreenConnect and CVE-2026-32202 in Microsoft Windows, both assigned a remediation due date of 2026-05-12.
Apr 23, 2026
CISA adds Marimo RCE flaw CVE-2026-39987 to KEV
CISA updated the Known Exploited Vulnerabilities catalog on 2026-04-23, increasing the total from 1,578 to 1,579 entries. The new entry was CVE-2026-39987, a Marimo remote code execution vulnerability allowing unauthenticated attackers to gain shell access and execute arbitrary commands before authorization, with a remediation due date of 2026-05-07.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
CISA Expands KEV Catalog With Actively Exploited Enterprise Software Flaws
CISA added 14 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog across two updates, citing evidence of active exploitation against widely used enterprise products from Fortinet, Microsoft, Adobe, Cisco, JetBrains, PaperCut, Kentico, Quest, and Zimbra. The newly listed flaws include issues in FortiClient EMS, Adobe Acrobat Reader, Microsoft Windows Common Log File System Driver, Microsoft Exchange Server, Host Process for Windows Tasks, Microsoft Visual Basic for Applications, JetBrains TeamCity, PaperCut NG/MF, Kentico Xperience, Quest KACE SMA, Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager, including privilege escalation, credential exposure, sensitive information disclosure, and cross-site scripting weaknesses. Reporting tied several of the vulnerabilities to real-world intrusion activity and ransomware operations. Microsoft said threat actor **Storm-1175** used `CVE-2023-21529` to deliver **Medusa ransomware**, while `CVE-2023-27351` has been linked to **Lace Tempest** deployments of **Cl0p** and **LockBit**. Defused Cyber also reported exploitation attempts against `CVE-2026-21643`, and CISA said federal civilian agencies must remediate the newly added flaws on deadlines running from late April into May 2026 under Binding Operational Directive requirements, while private-sector defenders were urged to prioritize the KEV entries for patching and exposure reduction.
4 days ago
CISA KEV Adds Exploited Flaws in Microsoft Excel, SharePoint, and Apache ActiveMQ
CISA updated its Known Exploited Vulnerabilities catalog to add three newly listed flaws affecting **Microsoft Office Excel**, **Microsoft SharePoint Server**, and **Apache ActiveMQ**. The additions increased the catalog total from 1,566 to 1,569 entries across two updates, with CISA identifying **`CVE-2009-0238`** as a remote code execution vulnerability in Excel, **`CVE-2026-32201`** as an improper input validation spoofing issue in SharePoint Server, and **`CVE-2026-34197`** as an improper input validation flaw in ActiveMQ that can enable code injection. CISA assigned federal remediation deadlines of **2026-04-28** for the Excel and SharePoint entries and **2026-04-30** for the ActiveMQ entry. The catalog records indicate that known ransomware use is **unknown** for all three vulnerabilities, while the ActiveMQ listing references both an Apache security advisory and the NVD entry, underscoring active exploitation concerns for widely deployed enterprise software and messaging infrastructure.
2 weeks ago
CISA Flags Actively Exploited Microsoft Configuration Manager RCE (CVE-2024-43468)
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) added **CVE-2024-43468** to its Known Exploited Vulnerabilities (KEV) catalog after determining the flaw is being **actively exploited in the wild**. The vulnerability is a **critical (CVSS 9.8) SQL injection** in *Microsoft Configuration Manager* (ConfigMgr/SCCM) that can allow an **unauthenticated remote attacker** to achieve **remote code execution** by sending specially crafted requests, enabling command execution on the ConfigMgr server and/or its underlying site database with **high/`SYSTEM`-level impact**. CISA set a remediation deadline of **March 5** for U.S. Federal Civilian Executive Branch agencies under its Binding Operational Directive requirements; public reporting noted Microsoft’s advisory had previously assessed exploitation as “less likely,” and Microsoft had not (as of reporting) publicly detailed the threat actors or scope of exploitation. The issue was originally patched by Microsoft in **October 2024** after being reported by **Synacktiv**, and proof-of-concept exploit code was later published (including by Synacktiv), lowering the barrier to weaponization. Separate CISA KEV updates the same week also drove patching urgency across other widely deployed products (including **SolarWinds Web Help Desk** and multiple **Apple** platforms for a reportedly “extremely sophisticated” targeted attack), reinforcing that organizations should treat KEV additions as a high-confidence signal to accelerate patching and exposure reduction—particularly for internet-reachable management tooling like ConfigMgr that can provide broad administrative control if compromised.
1 months ago