CVE-2026-32202: ConnectWise ScreenConnect RCE, CISA KEV May 12

ConnectWise ScreenConnect has a critical path traversal vulnerability that allows remote code execution without authentication. CVE-2026-32202 was added to the CISA Known Exploited Vulnerabilities catalog on April 28, 2026 with a federal agency remediation deadline of May 12. Active exploitation has been confirmed in the wild. If you run ScreenConnect on-premises — for remote IT management, managed service provider (MSP) operations, or internal infrastructure support — patch to version 25.3.1 immediately.

ScreenConnect is used by hundreds of thousands of MSPs and IT teams globally for remote desktop access and IT management. A compromised ScreenConnect server is not just a single breach — it is a pivot point into every endpoint that server manages.

What CVE-2026-32202 Is

CVE-2026-32202 is a path traversal vulnerability in ConnectWise ScreenConnect's file transfer and web interface components. The specific flaw: the application fails to properly sanitise file path inputs in certain request handlers, allowing an attacker to traverse the directory structure and access files or execute payloads outside the intended web root.

The path traversal reaches a code execution primitive through ScreenConnect's extension and plugin loading mechanism. A crafted request can write a malicious file to a location that ScreenConnect's runtime loads as a legitimate extension, resulting in remote code execution in the context of the ScreenConnect service.

The service typically runs with elevated privileges (SYSTEM on Windows, root-equivalent on Linux in many default configurations) to enable its remote management functions. Compromise of the ScreenConnect process gives attackers system-level access to the host running the ScreenConnect server.

Who can exploit this: The path traversal is reachable without authentication in the default ScreenConnect web interface. Any network-accessible ScreenConnect instance is potentially vulnerable. Internet-facing ScreenConnect installations are the immediate high-risk target; internal-only installations are at risk from attackers already inside the network perimeter.

CVSS score: Not yet published at time of writing; based on the CISA KEV addition and active exploitation confirmation, a score of 9.0+ (Critical) is expected.

Affected Versions

Vulnerable: ConnectWise ScreenConnect versions prior to 25.3.1.

Patched: Version 25.3.1, released April 26, 2026.

To check your current version: open the ScreenConnect administration interface, navigate to Administration > About. The version number is displayed on the About page.

ScreenConnect Cloud (ConnectWise-hosted instances): ConnectWise has confirmed cloud instances were patched automatically. If you are on ScreenConnect Cloud, you do not need to take action for this specific CVE — but verify you are on the cloud deployment, not a hybrid or on-premises installation.

On-premises ScreenConnect installations: You must manually upgrade to 25.3.1.

Exploitation Timeline and Active Threat Actors

CISA added CVE-2026-32202 to the KEV catalog on April 28, 2026, which means exploitation was confirmed in the wild before or at that date. Based on the KEV catalog's typical lag between first exploitation and catalog addition, active exploitation began no later than April 25-27.

The historical pattern with ScreenConnect vulnerabilities is relevant context: CVE-2024-1709 (authentication bypass, CVSS 10.0) was exploited within hours of public disclosure in February 2024 and became one of the most-exploited vulnerabilities of 2024. Multiple ransomware groups (Black Basta, LockBit affiliates, and others) used that ScreenConnect flaw as an initial access vector for enterprise ransomware deployments.

CVE-2026-32202 is not the same severity as CVE-2024-1709, but the exploitation pattern is similar: ScreenConnect servers are high-value initial access targets because a single compromised server gives attackers a foothold on every endpoint that server manages.

Threat actors known to target ScreenConnect flaws include:

• Initial access brokers who compromise MSP ScreenConnect installations and sell access to ransomware groups
• Ransomware-as-a-service affiliates using ScreenConnect as a pivot point into MSP client networks
• Nation-state adjacent groups targeting critical infrastructure via MSP supply chains

The May 12 CISA deadline is for federal agencies, but the real window is now: every day a vulnerable ScreenConnect server is running internet-accessible is a day an initial access broker is scanning for it.

Upgrade Process

Option 1 — Direct upgrade (recommended for most installations):

Download version 25.3.1 from the ConnectWise partner portal or ConnectWise website.

The upgrade process:

1. Back up your ScreenConnect configuration and database before upgrading
2. Stop the ScreenConnect service before running the installer
3. Run the 25.3.1 installer — it upgrades in-place and preserves existing sessions, user accounts, and configuration
4. Restart the service and verify version on the About page

Upgrade documentation: the ConnectWise security advisory page links directly to the 25.3.1 download.

Option 2 — Cloud migration (if you've been considering moving to ScreenConnect Cloud):

ConnectWise-hosted cloud instances are patched automatically and you lose the maintenance overhead. If your on-premises installation is running on ageing server hardware or you're constrained on IT bandwidth, this is the moment to evaluate the migration. The migration preserves client agent connections with a grace period.

If immediate upgrade is blocked:

Network isolation is the most effective temporary mitigation. If your ScreenConnect server does not need to be accessible from the public internet, restrict it to internal network access only (VPN or internal DNS only). The path traversal requires reaching the ScreenConnect web interface — no network access, no attack.

Do not rely on WAF rules alone. Path traversal bypasses are frequently WAF-evasion-resistant through encoding variations.

Why MSPs Should Treat This as a Priority-1 Response

MSPs running ScreenConnect have an elevated responsibility compared to individual organisations. A compromised MSP ScreenConnect server is a supply chain breach: the attacker has remote management access to every client endpoint managed through that server.

The 2024 pattern with CVE-2024-1709 established this clearly: ransomware groups used compromised MSP ScreenConnect access to deploy ransomware simultaneously across multiple MSP clients, achieving a multiplied blast radius from a single initial access.

If you are an MSP:

1. Patch all ScreenConnect instances to 25.3.1 immediately — not just your primary instance
2. Review ScreenConnect access logs for anomalous logins or sessions since April 25
3. Check for unusual extension installations or files added to the ScreenConnect web root directory
4. Notify clients if you find evidence of suspicious activity in ScreenConnect sessions targeting their endpoints

The 72-hour window between exploitation start and public CISA catalog addition means there may be compromised MSP ScreenConnect servers that were breached before anyone was aware of the vulnerability. A post-patch log review is not optional.

Developer and DevOps Impact

For development teams that use ScreenConnect for remote access to build servers, CI/CD infrastructure, or developer workstations:

• A compromised ScreenConnect server gives attackers access to build pipelines, source code, and deployment keys
• Check whether your ScreenConnect instance has access to any systems holding signing certificates, deployment credentials, or AWS/Azure/GCP IAM keys
• If ScreenConnect was used to access production infrastructure, rotate any credentials that were accessible from managed endpoints after the exploitation window (April 25 - today)

ScreenConnect is not a developer tool, but it is frequently deployed in environments that mix IT management with developer infrastructure. The supply chain attack surface is real.

Key Takeaways

• CVE-2026-32202: path traversal RCE in ConnectWise ScreenConnect all versions before 25.3.1; unauthenticated remote exploit via web interface; SYSTEM/root-level code execution on ScreenConnect host
• CISA KEV, May 12 deadline: added April 28; active exploitation confirmed — scan and patch before May 12, but do it now
• Patch: upgrade to ScreenConnect 25.3.1: download from ConnectWise partner portal; in-place upgrade preserves configuration; ScreenConnect Cloud is already patched
• MSP risk is multiplied: compromised ScreenConnect server = access to all managed endpoints; post-patch log review required for April 25 - May 1 activity
• Temp mitigation if upgrade blocked: restrict ScreenConnect to internal/VPN access only; do not rely on WAF rules alone
• Rotate credentials if ScreenConnect had access to systems holding deployment keys, CI/CD credentials, or cloud IAM keys during the exploitation window

For the LiteLLM AI gateway SQL injection with a similar exploitation speed, read CVE-2026-42208: LiteLLM SQL Injection Leaks Upstream API Keys. For the APT28 router campaign targeting developer OAuth tokens, read APT28 Operation Masquerade: 18,000 Routers, Microsoft OAuth Tokens. For the BlueHammer Defender zero-day patching context, read CVE-2026-33825 BlueHammer: Defender Zero-Day Grants SYSTEM.