CISA added CVE-2026-32202 (Windows Shell spoofing, CVSS 4.3) and CVE-2024-1708 (ConnectWise ScreenConnect path traversal) to its Known Exploited Vulnerabilities catalog on April 29, 2026, setting a mandatory Federal Civilian Executive Branch patching deadline of May 12, 2026. CVE-2026-32202 is a zero-click flaw exploited by state-sponsored actors attributed to APT28/Fancy Bear, enabling NTLMv2 hash theft without any user interaction. For platform and infrastructure teams operating within federal environments or agencies subject to BOD 22-01, today is the hard cutoff. Organizations that have not yet applied the relevant Windows patch are out of compliance as of this date. Non-federal organizations should treat this as a high-priority remediation given confirmed in-the-wild exploitation.