Severity: HIGH - Active Exploitation Confirmed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, flagging them as under real-world attack. The two flaws are:

  • CVE-2024-1708 - ConnectWise ScreenConnect Path Traversal Vulnerability
  • CVE-2026-32202 - Microsoft Windows Protection Mechanism Failure Vulnerability

Inclusion in the KEV catalog is not theoretical. It means threat actors are actively scanning for and exploiting these vulnerabilities right now. For East African organizations, the window to act is extremely short.

The Threat

ConnectWise ScreenConnect is a widely used remote desktop and IT management tool deployed across Kenyan banks, Ethiopian government ministries, Somali telecom operators, and regional managed service providers (MSPs). The path traversal flaw (CVE-2024-1708) allows an attacker to access files and directories outside the intended scope on the host server, potentially exposing credentials, session tokens, and internal network configurations.

The Microsoft Windows Protection Mechanism Failure (CVE-2026-32202) targets a core security control within Windows, allowing attackers to bypass OS-level defenses. Combined with the ConnectWise flaw, these two vulnerabilities form a dangerous attack chain: gain remote access through ScreenConnect, then escalate privileges or persist on Windows endpoints undetected.

Both flaws require urgent patching. CISA has set binding remediation deadlines for U.S. federal agencies, and regional regulators including the Central Bank of Kenya (CBK) and the Communications Authority of Kenya have issued standing guidance that aligns with KEV-class threats.

Impact Assessment for East Africa

These vulnerabilities are particularly dangerous for organizations across the Horn of Africa for three reasons:

  • Heavy ScreenConnect adoption: MSPs and internal IT teams across Kenya, Ethiopia, Uganda, and Tanzania use ScreenConnect for remote support. A compromised ScreenConnect instance gives attackers direct access to every endpoint the tool manages, including core banking servers, payment switches, and government databases.
  • Windows dominance: The majority of enterprise and government workstations across East Africa run Windows. The protection mechanism bypass in CVE-2026-32202 can nullify endpoint detection tools, leaving organizations blind to intrusions.
  • Regulatory exposure: Under the Kenya Data Protection Act 2019, the CBK Cybersecurity Guidance 2023, and the Bank of Tanzania ICT Security Guidelines, failure to patch known, actively exploited vulnerabilities constitutes a compliance breach and can trigger penalties, mandatory breach disclosure, and reputational damage.

Ransomware groups and nation-state actors targeting African financial institutions have previously leveraged ScreenConnect as an initial access vector. This is not a low-probability risk.

Immediate Actions - Do These Now

  • Audit your ConnectWise ScreenConnect deployments immediately. Identify all instances running in your environment, including those managed by third-party MSPs on your behalf. Confirm version numbers and apply the latest patch without delay.
  • Apply the Microsoft Windows security update. Ensure CVE-2026-32202 is patched across all Windows endpoints, servers, and domain controllers. Prioritize internet-facing and privileged systems first.
  • Review ScreenConnect access logs. Look for unusual session activity, off-hours logins, connections from unfamiliar IP addresses, or file access attempts outside normal admin patterns. Alert your SOC immediately if anomalies are found.
  • Enforce multi-factor authentication (MFA) on all remote access tools. If MFA is not active on your ScreenConnect instance, treat this as a critical gap and remediate it in parallel with patching.
  • Notify your third-party IT and MSP vendors. If external vendors use ScreenConnect to access your systems, demand written confirmation of patch status within 24 hours. Your exposure includes their tools.

DRONGO Recommendation

DRONGO's security team is actively monitoring exploitation attempts targeting East African organizations linked to these CVEs. Our Vulnerability Assessment and Patch Verification service can confirm your exposure status within 48 hours. For organizations running ScreenConnect in banking or government environments, we strongly recommend a targeted penetration test to validate that patching has been effective and no prior compromise occurred.

Is your organization protected? Request a free security assessment.