CISA and Microsoft flag active Windows zero-click flaw after patch setback
Federal agencies are under urgent orders to patch a Windows zero-day still exploited after an initial failed fix.
Why it matters: Sensitive enterprise and government systems remain exposed to credential theft and breach risk, with compliance implications for federal contractors and regulated businesses.
- CVE-2026-32202 enables NTLMv2 hash theft via malicious LNK files, requiring no user interaction.
- CISA set a May 12, 2026, deadline for U.S. federal agencies to patch the flaw.
- Russian group APT28 previously exploited a related vulnerability in attacks on Ukraine and the EU.
- Some HP and Dell users reported boot loops after installing Microsoft’s KB5083769 patch.
Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) have issued urgent warnings about CVE-2026-32202—a Windows vulnerability allowing attackers to steal NTLMv2 credentials without requiring users to open files or links. Exposure occurs simply by browsing a folder containing a malicious LNK file, elevating risk across managed networks.
- CISA categorized the flaw as a “significant risk to the federal enterprise” and added it to its Known Exploited Vulnerabilities catalog, mandating a patch by May 12, 2026.
- Microsoft's initial fix for a related issue (CVE-2026-21510) in February 2026 failed to fully close an authentication loophole, ultimately exposing CVE-2026-32202, according to Akamai researcher Maor Dahan: “The victim machine was still authenticating to the attacker's server.”
- The patch for CVE-2026-32202 arrived April 14, 2026, in the KB5083769 update; however, deployment issues—including boot loops on some HP and Dell machines—have complicated mitigation efforts (Windows Report).
- While the vulnerability's CVSS score is only 4.3, its “zero-click” exploitation path dramatically increases the threat to unpatched environments.
Russian threat group APT28 previously exploited related flaws in real-world attacks targeting Ukraine and EU nations in December 2025. There is no confirmed evidence yet that this group is exploiting CVE-2026-32202 itself, but the connection heightens urgency for patching and monitoring efforts.
Enterprises and legal professionals should review patch status, monitor for suspicious credential activity, and assess compliance exposure in light of ongoing exploitation warnings.
By the numbers:
- 4.3 — CVSS score for CVE-2026-32202, yet real-world risk is high due to "zero-click" attack method
- May 12, 2026 — Deadline set by CISA for federal agencies to patch affected systems
- April 14, 2026 — Microsoft released KB5083769 update for CVE-2026-32202
Yes, but: Some affected users reported boot issues after installing the patch, potentially delaying remediation.
What's next: Federal agencies must complete patching by CISA's May 12, 2026, deadline. Monitor for further out-of-band updates from Microsoft.