The Cybersecurity and Infrastructure Security Agency (**CISA**) has added two new vulnerabilities to its [Known Exploited Vulnerabilities (KEV) Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog), based on evidence of active exploitation. * [**CVE-2024-1708**](https://www.cve.org/CVERecord?id=CVE-2024-1708) **ConnectWise** ScreenConnect Path Traversal Vulnerability * [**CVE-2026-32202**](https://www.cve.org/CVERecord?id=CVE-2026-32202) **Microsoft Windows** Protection Mechanism Failure Vulnerability ### Why These Vulnerabilities Matter These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to organizations. Path traversal flaws like **CVE-2024-1708** can allow attackers to access sensitive files and directories outside of the intended scope, while protection mechanism failures, such as **CVE-2026-32202**, can allow attackers to bypass security controls. ### Binding Operational Directive (BOD) 22-01 [Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](https://www.cisa.gov/binding-operational-directive-22-01) established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf) for more information. ### Recommendation for All Organizations Although BOD 22-01 only applies to FCEB agencies, **CISA** strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [KEV Catalog vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) as part of their vulnerability management practice. **CISA** will continue to add vulnerabilities to the catalog that meet the [specified criteria](https://www.cisa.gov/known-exploited-vulnerabilities).