Windows Shell spoofing flaw actively exploited (CVE-2026-32202)
Vulnerability
Summary
Hide ▲
Show ▼
Microsoft updated Windows Shell advisory guidance to confirm CVE-2026-32202 was actively exploited in the wild, raising the risk of sensitive-information disclosure from a now-patched spoofing flaw. The bug can be triggered through malicious LNK files and is tied to a zero-click credential theft path via auto-parsed shortcuts.
Related Happenings
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/Service
First: 15.05.2026 17:49
Last: 15.05.2026 17:49
Sources 1
About this happening:
**Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/ServiceAbout this happening: **Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Windows 11 BitLocker bypass YellowKey security flaw
Vulnerability
First: 14.05.2026 10:27
Last: 14.05.2026 10:27
Sources 1
About this happening:
**YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...
Windows 11 BitLocker bypass YellowKey security flaw
VulnerabilityAbout this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...
Latest development: 20.05.2026 10:31
Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.
DigiCert hit by network compromise
Incident
First: 03.05.2026 21:11
Last: 03.05.2026 21:11
Sources 1
About this happening:
DigiCert disclosed an **early April** **support environment compromise** that exposed **initialization codes** for approved **EV code-signing certificate orders**, creating a path...
DigiCert hit by network compromise
IncidentAbout this happening: DigiCert disclosed an **early April** **support environment compromise** that exposed **initialization codes** for approved **EV code-signing certificate orders**, creating a path...
Latest development: 04.05.2026 15:46
By April 17, DigiCert revoked 60 certificates tied to the support-portal compromise, including 27 explicitly linked to the threat actor and 11 used to sign Zhong Stealer, and canceled pending orders to close attacker access. DigiCert also enforced multi-factor authentication for administrative workflows, blocked access to initialization codes from proxied support users, restricted file types for support chat and Salesforce case attachments, and improved logging.
Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store
Security Tool/Service
First: 03.05.2026 21:11
Last: 03.05.2026 21:11
Sources 1
About this happening:
**Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...
Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store
Security Tool/ServiceAbout this happening: **Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...
Windows RPC PhantomRPC local privilege escalation flaw
Vulnerability
First: 28.04.2026 14:31
Last: 28.04.2026 14:31
Sources 1
About this happening:
**PhantomRPC** in **Windows RPC** can let a local attacker elevate to **System** across **all Windows versions**, creating a high-impact privilege-escalation path. The flaw abuses...
Windows RPC PhantomRPC local privilege escalation flaw
VulnerabilityAbout this happening: **PhantomRPC** in **Windows RPC** can let a local attacker elevate to **System** across **all Windows versions**, creating a high-impact privilege-escalation path. The flaw abuses...
Timeline
-
28.04.2026 08:50 2 articles · 29d ago
Microsoft confirms active exploitation of CVE-2026-32202 in Windows Shell
Initial DisclosureMicrosoft revised its Windows Shell advisory to confirm that CVE-2026-32202, a spoofing flaw that could expose sensitive information, had been actively exploited in the wild and that its exploitability fields had previously been published incorrectly. Akamai linked the issue to an incomplete patch for CVE-2026-21510 and described a zero-click path involving malicious Windows Shortcut (LNK) files, UNC path loading, SMB-triggered NTLM authentication, and potential Net-NTLMv2 hash disclosure. The same reporting also tied related exploitation of CVE-2026-21513 to APT28 and noted earlier activity against Ukraine and E.U. nations in December 2025.
Show sources
- Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 — thehackernews.com — 28.04.2026 08:50
- CISA orders feds to patch Windows flaw exploited as zero-day — www.bleepingcomputer.com — 29.04.2026 13:29