The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-32202 — a critical zero-click vulnerability in the Microsoft Windows Shell — to its Known Exploited Vulnerabilities (KEV) catalog. The agency has simultaneously confirmed that the flaw is being actively weaponized by the Russian APT28 threat group (also known as Fancy Bear and Forest Blizzard), which operates under the direction of Russian military intelligence.
With a CISA-imposed remediation deadline for Federal Civilian Executive Branch (FCEB) agencies that has now passed, all private-sector organizations and critical infrastructure operators are urged to patch immediately.
What Is CVE-2026-32202?
CVE-2026-32202 is a protection mechanism failure in the Microsoft Windows Shell, classified under CWE-693. The vulnerability stems from an incomplete patch for an earlier Windows Shell security feature bypass, and it enables a zero-click authentication coercion attack: an attacker on the same network segment can force a target Windows system to initiate an NTLM authentication handshake to an attacker-controlled server — without any user interaction required.
Once the NTLM handshake is captured, the attacker can:
- Crack the NTLM hash offline to recover the user’s password
- Perform an NTLM relay attack to authenticate to other network services using the captured credentials
- Potentially compromise Active Directory infrastructure if the coerced authentication belongs to a domain account with administrative privileges
The zero-click nature of the attack — no user action required, no phishing email necessary — makes it particularly dangerous in enterprise environments where workstations and servers are regularly connected to shared network segments.
APT28 Exploitation: Confirmed and Active
Microsoft and U.S. government agencies have confirmed that APT28 has incorporated CVE-2026-32202 into its active intrusion toolkit. APT28 is one of the most prolific and capable state-sponsored threat actors globally, with a documented history of targeting government agencies, defense contractors, NATO member organizations, political parties, media organizations, and critical infrastructure across Europe and North America.
The group’s use of Windows Shell coercion vulnerabilities is consistent with its established tradecraft. APT28 has historically leveraged NTLM relay and coercion techniques to move laterally through enterprise networks, harvest credentials, and maintain persistent access to high-value targets over extended periods — often without deploying conventional malware that would trigger endpoint detection.
The specific campaign leveraging CVE-2026-32202 has been observed targeting organizations in the government, defense, and energy sectors across multiple NATO member countries.
Timeline of Key Events
- April 2026 Patch Tuesday: Microsoft released a patch for CVE-2026-32202 as part of its regular monthly update cycle.
- April 28, 2026: CISA officially added CVE-2026-32202 to the KEV catalog following confirmation of active exploitation.
- May 12, 2026: CISA’s binding remediation deadline for all Federal Civilian Executive Branch agencies expired. Agencies were required to apply the April 2026 Patch Tuesday updates by this date.
Who Is Affected?
CVE-2026-32202 affects all supported versions of Microsoft Windows, including Windows 10, Windows 11, and Windows Server 2019, 2022, and 2025. The vulnerability was introduced by an incomplete fix for a prior Windows Shell security bypass, meaning systems that applied earlier patches remain vulnerable until the April 2026 Patch Tuesday update is installed.
Organizations that have delayed applying April’s patches are potentially exposed right now, particularly if their network environments involve shared broadcast domains, meeting rooms, open office areas, or other contexts where an attacker could achieve network adjacency.
Remediation Steps
The primary remediation for CVE-2026-32202 is applying Microsoft’s April 2026 Patch Tuesday security updates across all affected Windows systems. This includes:
- All Windows 10 and Windows 11 endpoints
- Windows Server 2019, 2022, and 2025 systems
- Remote Desktop Services hosts
- Domain controllers (especially critical given the NTLM relay risk)
Additional Hardening Measures
Beyond applying the patch, security teams should consider the following hardening steps to reduce NTLM coercion and relay risk more broadly:
- Enable SMB signing on all Windows systems to prevent NTLM relay attacks that leverage captured SMB authentication.
- Enable LDAP signing and channel binding on domain controllers to block NTLM relay to LDAP/LDAPS.
- Consider disabling NTLMv1 entirely and evaluating whether NTLMv2 is needed in your environment, moving toward Kerberos-only authentication where possible.
- Deploy Windows Defender Credential Guard to protect domain credentials from NTLM-based attacks.
- Network segmentation: Limiting broadcast domain exposure between untrusted and trusted network zones reduces the attack surface for coercion techniques that require network adjacency.
Conclusion
CVE-2026-32202 represents the intersection of three concerning factors: a zero-click attack vector requiring no user interaction, an incomplete prior patch leaving systems newly vulnerable, and active exploitation by one of the most sophisticated nation-state threat actors in the world. CISA’s KEV catalog addition and the expired federal remediation deadline signal that this vulnerability should be treated as an active incident risk, not a future maintenance item. Organizations that have not yet applied the April 2026 Patch Tuesday updates should do so immediately.