CISA Adds Actively Exploited Windows Flaw (CVE-2026-32202) to KEV Catalog

CISA Adds Actively Exploited Windows Flaw to KEV Catalog After Botched Patch for APT28 Zero-Day

CRITICAL
April 29, 2026
April 30, 2026
5m read
VulnerabilityPatch ManagementThreat Actor

Related Entities(initial)

Threat Actors

APT28

Organizations

CISA Microsoft

Products & Tech

Windows

Other

Akamai

CVE Identifiers

CVE-2026-32202
HIGH
CVEDetails.com CVE.org
CVE-2026-21510
CRITICAL
CVEDetails.com CVE.org
CVE-2026-21513
MEDIUM
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1204.002Execution

User Execution: Malicious File

T1557.001Credential Access

LLMNR/NBT-NS Poisoning and SMB Relay

T1078Defense Evasion

Valid Accounts

T1190Initial Access

Exploit Public-Facing Application

Full Report(when first published)

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-32202, a privilege escalation vulnerability in Microsoft Windows, to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. This vulnerability is particularly notable as it stems from an incomplete patch for a previous zero-day, CVE-2026-21510. The original flaw was exploited by the Russian state-sponsored group APT28 (Fancy Bear) in campaigns targeting entities in Ukraine and the European Union. The new flaw, CVE-2026-32202, is an authentication coercion vulnerability that can be exploited without user interaction (zero-click) to steal credentials. Federal agencies are now required to apply the patch released by Microsoft in April 2026.

Vulnerability Details

  • CVE-2026-32202: An authentication coercion vulnerability in Microsoft Windows.
  • Attack Vector: An attacker can exploit this vulnerability by convincing a user to open a malicious HTML file or, more critically, by placing a malicious shortcut (.lnk) file in a location that the victim's machine will automatically parse. This can trigger an authentication attempt to an attacker-controlled server, allowing the theft of NTLM hashes.
  • Root Cause: The vulnerability exists because the patch for CVE-2026-21510 was incomplete. CVE-2026-21510 was a remote code execution (RCE) vulnerability exploited in the wild by APT28. The incomplete fix left open a new attack surface for credential theft.
  • Zero-Click Scenario: The 'zero-click' aspect is significant. If an attacker can place a malicious .lnk file on a network share that a user browses with File Explorer, the preview pane's attempt to render the file's icon can be enough to trigger the authentication attempt to the attacker's server, without the user ever clicking on the file.

Affected Systems

  • All supported versions of Microsoft Windows were affected prior to the April 2026 security updates.

Exploitation Status

CISA has confirmed that CVE-2026-32202 is being actively exploited in the wild. The original vulnerability, CVE-2026-21510, was used as a zero-day by APT28 since at least December 2025 in conjunction with CVE-2026-21513 (an MSHTML security feature bypass).

Impact Assessment

  • Credential Theft: The primary impact is the theft of user NTLM hashes. These hashes can be cracked offline to reveal the user's password or used in NTLM relay attacks to authenticate to other services on the network as the victim user.
  • Privilege Escalation & Lateral Movement: Once an attacker has valid credentials, they can move laterally through the network, escalate privileges, and gain access to more sensitive systems and data.
  • Downstream Attacks: Stolen credentials are a key enabler for more severe attacks, including ransomware deployment and data exfiltration.

Cyber Observables — Hunting Hints

The following patterns may help identify exploitation attempts:

Type
network_traffic_pattern
Value
Outbound SMB traffic (port 445) from workstations to unknown or external IP addresses.
Description
This is the hallmark of an NTLM hash being sent to an attacker-controlled server. SMB traffic should typically be restricted to internal network segments.
Type
log_source
Value
Windows Security Event Log (ID 4625)
Description
Look for a high volume of failed logon events (Type 3 - Network Logon) from a single machine, which could indicate an attacker attempting to use relayed credentials.
Type
file_name
Value
*.lnk
Description
Monitor for the creation of .lnk files in unusual locations, especially on network shares.
Type
process_name
Value
explorer.exe
Description
Monitor for the explorer.exe process initiating outbound network connections to suspicious IP addresses on port 445.

Detection Methods

  • Network Intrusion Detection: Use an IDS/IPS to monitor for and block outbound SMB traffic to the internet. This is a critical control. D3FEND's Outbound Traffic Filtering (D3-OTF) is directly applicable.
  • Endpoint Detection: EDR solutions can be configured to alert on processes like explorer.exe or rundll32.exe making outbound SMB connections, which is highly anomalous behavior.
  • Vulnerability Scanning: Use a vulnerability scanner to identify all systems that are missing the April 2026 Microsoft security update.

Remediation Steps

  • Patch Immediately: The primary remediation is to apply the security update for CVE-2026-32202 released by Microsoft in April 2026. Given its KEV status, this should be treated as an emergency change.
  • Block Outbound SMB: As a critical compensating control, configure perimeter firewalls to block all outbound TCP port 445 traffic from your network to the internet. There are very few legitimate reasons for this traffic, and blocking it mitigates this and many other credential theft vulnerabilities.
  • Disable NTLM: Where possible, organizations should move towards using Kerberos authentication and disable NTLM to prevent hash relay and cracking attacks. This is a longer-term strategic mitigation.

Timeline of Events

1
December 1, 2025
APT28 begins exploiting the original zero-day, CVE-2026-21510.
2
February 1, 2026
Microsoft releases an incomplete patch for CVE-2026-21510.
3
April 1, 2026
Microsoft releases a complete fix for the new vulnerability, CVE-2026-32202.
4
April 29, 2026
CISA adds CVE-2026-32202 to the Known Exploited Vulnerabilities (KEV) catalog.
5
April 29, 2026
This article was published

Article Updates

April 30, 2026

Microsoft and CISA confirm active exploitation of CVE-2026-32202, detailing Windows Shell spoofing and NTLM relay attacks, and adding SMB signing as a key mitigation.

Update Sources:
helpnetsecurity.comCISA, Microsoft warn of active exploitation of Windows Shell vulnerability (CVE-2026-32202)
bleepingcomputer.comCISA orders feds to patch Windows flaw exploited as zero-day
securityweek.comIncomplete Windows Patch Opens Door to Zero-Click Attacks

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Applying the April 2026 Microsoft security update is the primary mitigation.

Filter Network Traffic

M1037enterprise

Blocking outbound SMB (TCP 445) traffic at the perimeter firewall is a critical compensating control.

Operating System Configuration

M1028enterprise

Disable NTLM authentication in favor of Kerberos to prevent NTLM relay attacks.

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The most direct and effective countermeasure for CVE-2026-32202 is to apply the security update provided by Microsoft in its April 2026 patch release. Given that CISA has added this vulnerability to the KEV catalog, organizations must treat this as a critical priority. Federal agencies are mandated to patch within a specific timeframe, and commercial entities should follow suit. Use enterprise patch management systems like WSUS or SCCM to deploy the update across all Windows endpoints and servers. Run authenticated vulnerability scans to verify that the patch has been successfully applied and that no systems were missed.

Outbound Traffic Filtering

D3-OTFMaps to MITREM1037
D3FEND

As a crucial compensating control that mitigates this and many similar credential theft vulnerabilities, organizations must block outbound SMB traffic at the network perimeter. Configure your edge firewalls to deny any egress traffic on TCP port 445. There are almost no legitimate business cases for an internal client to initiate an SMB connection to a server on the internet. This single change prevents the vulnerability from being exploited, as the victim's machine would be unable to send its NTLM hash to the attacker's external server. This is a high-impact, low-disruption defense that should be standard practice.

Timeline of Events

1
December 1, 2025

APT28 begins exploiting the original zero-day, CVE-2026-21510.

2
February 1, 2026

Microsoft releases an incomplete patch for CVE-2026-21510.

3
April 1, 2026

Microsoft releases a complete fix for the new vulnerability, CVE-2026-32202.

4
April 29, 2026

CISA adds CVE-2026-32202 to the Known Exploited Vulnerabilities (KEV) catalog.

Sources & References(when first published)

CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
The Hacker NewsApril 29, 2026
Incomplete Windows Patch Opens Door to Zero-Click Attacks
SecurityWeekApril 27, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CVE-2026-32202CISAKEVWindowsAPT28Fancy BearZero-DayPatch Management

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.