BREAKINGVERIFIEDBy Xavier Rivera· ·1 min read
CISA Orders Feds to Patch Exploited Windows Zero-Day
CISA orders U.S. federal agencies to patch Windows CVE-2026-32202 by May 12 after zero-day exploitation. The flaw persisted from an incomplete February patch and enables credential theft.
Source:BleepingComputer
TL;DRAI · 60 sec read
The U.S. Cybersecurity and Infrastructure Security Agency orders federal agencies to patch Windows systems against CVE-2026-32202, a vulnerability exploited in zero-day attacks.
Akamai reports the flaw as a zero-click vulnerability remaining after Microsoft incompletely patched a remote code execution issue, CVE-2026-21510, in February. CERT-UA states that Russian APT28 exploited CVE-2026-21510 in December 2025 attacks on Ukraine and EU countries, chaining it with CVE-2026-21513 targeting an LNK file flaw. Akamai describes a gap between path resolution and trust verification enabling zero-click credential theft via auto-parsed LNK files.
Microsoft explains that remote attackers exploit the low-complexity flaw by sending a malicious file for the victim to execute, allowing viewing of sensitive information on unpatched systems. Microsoft flagged CVE-2026-32202 as exploited on Sunday following BleepingComputer's inquiry about its April 2026 Patch Tuesday advisory.
CISA adds the flaw to its Known Exploited Vulnerabilities Catalog on Tuesday, requiring Federal Civilian Executive Branch agencies to patch endpoints and servers by May 12 under Binding Operational Directive 22-01. CISA warns of significant risks and urges all organizations to apply patches immediately. Threat actors also exploit three other recent Windows flaws dubbed BlueHammer, RedSun, and UnDefend.
Akamai reports the flaw as a zero-click vulnerability remaining after Microsoft incompletely patched a remote code execution issue, CVE-2026-21510, in February. CERT-UA states that Russian APT28 exploited CVE-2026-21510 in December 2025 attacks on Ukraine and EU countries, chaining it with CVE-2026-21513 targeting an LNK file flaw. Akamai describes a gap between path resolution and trust verification enabling zero-click credential theft via auto-parsed LNK files.
Microsoft explains that remote attackers exploit the low-complexity flaw by sending a malicious file for the victim to execute, allowing viewing of sensitive information on unpatched systems. Microsoft flagged CVE-2026-32202 as exploited on Sunday following BleepingComputer's inquiry about its April 2026 Patch Tuesday advisory.
CISA adds the flaw to its Known Exploited Vulnerabilities Catalog on Tuesday, requiring Federal Civilian Executive Branch agencies to patch endpoints and servers by May 12 under Binding Operational Directive 22-01. CISA warns of significant risks and urges all organizations to apply patches immediately. Threat actors also exploit three other recent Windows flaws dubbed BlueHammer, RedSun, and UnDefend.
HELP US IMPROVE
Reader-supported
The Circuitry is a passion project I've always wanted to build, and I love the work behind it.
Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.
Any contribution is appreciated. If not, no pressure. Thanks for reading.
EXPERT TAKE
Expert Take: Enterprise admins should prioritize CVE-2026-32202 patching across Windows endpoints to block low-complexity credential theft vectors.