Microsoft and the US Cybersecurity and Infrastructure Security Agency said attackers are exploiting a zero-click Windows flaw tracked as CVE-2026-32202, which can expose sensitive information on vulnerable systems. CISA set a May 12 deadline for federal agencies to fix it.
KEY FACTS
- Bug CVE-2026-32202 is an authentication coercion flaw in Windows Shell.
- Impact It can send Net-NTLMv2 data to an attacker and expose sensitive information.
- Status Microsoft marked the flaw as exploitation detected on Monday.
- Cause The issue came from an incomplete fix for CVE-2026-21510.
Microsoft disclosed CVE-2026-32202 on April 14, saying a successful exploit could let an attacker view sensitive information. The company credited Akamai senior security researcher Maor Dahan with finding the flaw.
Dahan’s technical analysis says the new bug remained after Microsoft patched CVE-2026-21510 in February. He said the victim machine was still authenticating to the attacker’s server during testing of the fix.
The report says the flaw can leak a victim’s Net-NTLMv2 hash through auto-parsed LNK files. That data can be used to authenticate as the user, steal information and move around a network.
Microsoft and CISA have not said who is behind the current attacks. The earlier weakness, CVE-2026-21510, was linked to Russian APT28 activity against Ukraine and European Union countries, according to the report and Ukrainian CERT.
WHY IT MATTERS
The flaw can be triggered without user clicks and may expose credentials that help attackers access files and networks. With CISA requiring fixes by May 12, organizations running affected Windows systems face a short window to reduce the risk.