CISA Adds Critical ConnectWise and Microsoft Vulnerabilities to KEV Catalog Amid Ongoing Exploitation
Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.
Responsible editor: Marcin Pocztowski / Infrastructure and Vulnerability Response
Infrastructure Security Editor: Marcin Pocztowski / Infrastructure and Vulnerability Response
Last reviewed by: Marcin Pocztowski on Apr 30, 2026
Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence
Published on HackWatch: Apr 30, 2026
Source date: Apr 30, 2026
Last updated: Apr 30, 2026
Incident status: Active threat
Last verified: Apr 30, 2026
Corroborating sources: 1
Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.
AI tools may assist HackWatch with initial monitoring and source clustering. The public article is reviewed, fact-checked and edited by a real HackWatch reviewer before publication or material updates. Last human review: Apr 30, 2026.
Technical reviewer note: Marcin Pocztowski reviewed this alert on Apr 30, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 1 corroborating source.
Review our editorial policy or send corrections to [email protected].
Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included new high-risk vulnerabilities affecting ConnectWise and Microsoft products in its Known Exploited Vulnerabilities (KEV) catalog. The Microsoft flaw, linked to an incomplete patch, has been actively exploited by the APT28 threat group, raising urgent concerns for organizations relying on these technologies.
WASHINGTON, April 30, 2026, 08:10 UTC
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical vulnerabilities in ConnectWise and Microsoft software to its Known Exploited Vulnerabilities (KEV) catalog. The move signals heightened risk as attackers continue to exploit these weaknesses in active campaigns.
The Microsoft vulnerability stems from an incomplete patch addressing a flaw previously targeted by APT28, a Russian-linked advanced persistent threat group. This gap has allowed attackers to maintain footholds in compromised systems, underscoring the urgency for organizations to apply updated fixes.
ConnectWise, widely used for IT management and remote monitoring, also faces a high-severity flaw now cataloged by CISA. Exploitation of this vulnerability could enable unauthorized access or disruption of managed services, affecting a broad range of enterprises.
Inclusion in the KEV catalog means these vulnerabilities have documented active exploitation in the wild. CISA’s catalog serves as a prioritized list for federal agencies and private sector entities to focus mitigation efforts on the most pressing threats.
Security teams should immediately assess exposure to these flaws. Microsoft users must verify that the latest cumulative updates fully address the incomplete patch issue. ConnectWise customers should consult vendor advisories and apply recommended patches without delay.
Failure to remediate promptly could result in ransomware attacks, data breaches, or persistent network compromise. The ongoing exploitation by APT28 highlights the operational impact of delayed patching, particularly for critical infrastructure and government networks.
This update follows a broader trend of threat actors targeting software supply chains and IT management tools. ConnectWise’s role in remote administration makes its vulnerabilities especially attractive for lateral movement and escalation in targeted attacks.
Risk remains high as threat actors adapt to partial fixes and exploit overlooked vulnerabilities. Organizations should enhance monitoring for indicators of compromise related to these flaws and review incident response plans accordingly.
CISA’s KEV catalog update reinforces the need for continuous vulnerability management and rapid patch deployment. It also illustrates the challenges in fully mitigating sophisticated threats when patches are incomplete or delayed.
Users unsure whether they are affected should prioritize asset inventories and vulnerability scans focusing on ConnectWise and Microsoft environments. Coordination with IT vendors and cybersecurity partners can accelerate remediation efforts.
The KEV catalog is publicly accessible and updated regularly. Staying informed through CISA and vendor channels is critical to maintaining resilient defenses against evolving cyber threats.
As of this report, no widespread exploitation beyond targeted campaigns has been confirmed, but the risk of escalation remains.
Organizations are advised to:
- Confirm installation of the latest Microsoft updates addressing the incomplete patch.
- Apply ConnectWise security patches immediately.
- Monitor network traffic and logs for unusual activity linked to these vulnerabilities.
- Educate staff on phishing and social engineering tactics that may accompany exploitation attempts.
The evolving threat landscape demands vigilance and swift action to prevent attackers from leveraging known weaknesses. CISA’s inclusion of these flaws in the KEV catalog aims to focus attention and resources on closing critical security gaps.
For more details, refer to the official CISA KEV catalog and vendor security advisories.
https://www.scworld.com/news/cisa-adds-connectwise-microsoft-flaws-to-kev-catalog
Sources used for this article
scmagazine.com
