CISA mandates patching of Windows zero-click authentication coercion flaw (CVE-2026-32202) exploited in APT28 campaigns
Summary
Hide ▲
Show ▼
CISA has issued a directive under BOD 22-01 requiring U.S. federal agencies to patch the Windows authentication coercion vulnerability CVE-2026-32202 by May 12, 2026, following evidence of active exploitation in low-complexity, zero-click credential theft attacks. The flaw represents an incompletely remediated gap left after Microsoft’s February 2026 patch for CVE-2026-21510, a remote code execution issue exploited by Russian state-sponsored APT28 (Fancy Bear) in December 2025 across Ukraine and EU targets. Akamai researchers identified the residual vulnerability as enabling auto-parsed LNK file-based attacks that bypass user interaction, leveraging trust verification bypasses in path resolution. Microsoft confirmed active exploitation on April 27, 2026, prompting the urgency reflected in the KEV entry and CISA’s binding directive.
Timeline
-
29.04.2026 13:29 1 articles · 2h ago
CISA adds CVE-2026-32202 to KEV Catalog, mandates federal patching by May 12
CISA included CVE-2026-32202 in the Known Exploited Vulnerabilities Catalog on April 29, 2026, ordering Federal Civilian Executive Branch agencies to remediate the Windows authentication coercion flaw by May 12, 2026. The directive cites significant risks to federal enterprise security and leverages BOD 22-01 enforcement mechanisms.
Show sources
- CISA orders feds to patch Windows flaw exploited as zero-day — www.bleepingcomputer.com — 29.04.2026 13:29
Information Snippets
-
CVE-2026-32202 is an authentication coercion vulnerability in Windows left after Microsoft’s February 2026 patch for CVE-2026-21510, enabling zero-click credential theft via auto-parsed LNK files.
First reported: 29.04.2026 13:291 source, 1 articleShow sources
- CISA orders feds to patch Windows flaw exploited as zero-day — www.bleepingcomputer.com — 29.04.2026 13:29
-
APT28 (UAC-0001, Fancy Bear) exploited CVE-2026-21510 in December 2025 as part of a multi-stage attack chain that also included CVE-2026-21513 (LNK file flaw), targeting Ukraine and EU countries.
First reported: 29.04.2026 13:291 source, 1 articleShow sources
- CISA orders feds to patch Windows flaw exploited as zero-day — www.bleepingcomputer.com — 29.04.2026 13:29
-
Microsoft confirmed active exploitation of CVE-2026-32202 on April 27, 2026, after previously listing it with an 'Exploitation Detected' flag during the April 2026 Patch Tuesday without public explanation.
First reported: 29.04.2026 13:291 source, 1 articleShow sources
- CISA orders feds to patch Windows flaw exploited as zero-day — www.bleepingcomputer.com — 29.04.2026 13:29
-
CISA added CVE-2026-32202 to the Known Exploited Vulnerabilities (KEV) Catalog on April 29, 2026, mandating FCEB agencies to patch by May 12, 2026, under BOD 22-01.
First reported: 29.04.2026 13:291 source, 1 articleShow sources
- CISA orders feds to patch Windows flaw exploited as zero-day — www.bleepingcomputer.com — 29.04.2026 13:29
-
The vulnerability allows low-complexity remote attackers to view sensitive information on unpatched Windows systems by sending a malicious file that the victim must execute, according to Microsoft’s advisory.
First reported: 29.04.2026 13:291 source, 1 articleShow sources
- CISA orders feds to patch Windows flaw exploited as zero-day — www.bleepingcomputer.com — 29.04.2026 13:29