CVE-2026-32202 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2026-04-14

Added to CISA KEV: 2026-04-28 14 DAYS BETWEEN CVE AND KEV

CRITICAL: Check for indicators of compromise - confirmed active exploitation by APT28. Review SMB authentication logs for suspicious credential access attempts
Apply Microsoft security updates immediately for all affected Windows versions
Monitor for suspicious SMB authentication activity and credential theft attempts
Implement user training on avoiding malicious file downloads
HIGH priority patching due to active exploitation despite requiring user interaction

Regarding CVE-2026-32202, here's what is known about its exploitation:

Internet-facing applications or services: While specific details about CVE-2026-32202's impact on internet-facing applications are not explicitly detailed in the provided information, it is a Windows Shell vulnerability ^[2]. Vulnerabilities in operating system components like the Windows Shell can potentially be exploited through various attack vectors, including those that might involve internet-facing services if they interact with the shell.

Evidence of active exploitation in the wild: Yes, there is confirmed evidence of active exploitation ^[1]^[2]. Microsoft has confirmed this active exploitation ^[1].

Attack vectors and exploitation methods: The vulnerability stems from an incomplete fix that allows attackers to steal credentials via SMB authentication when a malicious file is opened ^[1]. This suggests that a primary attack vector involves tricking a user into opening a malicious file, which then leverages the SMB protocol to steal credentials.

Use in targeted attacks: CVE-2026-32202 has been linked to APT28, a known threat actor group ^[2]. This indicates its use in targeted attacks.

CISA Known Exploited Vulnerabilities (KEV) status: The provided information does not explicitly state that CVE-2026-32202 is currently on the CISA Known Exploited Vulnerabilities (KEV) Catalog. However, CISA does maintain such a catalog of actively exploited vulnerabilities ^[3]^[4]. Given the confirmed active exploitation and link to APT28, it is plausible it could be added or is already present.

Technical details about internet exploitability: The technical details indicate that the vulnerability allows for credential theft through SMB authentication ^[1]. This implies that systems with SMB services exposed and vulnerable to this specific exploit could be targeted. The exploitability is described as stemming from an "incomplete fix" ^[1].

Microsoft confirmed active exploitation of a Windows flaw → CVE ...
The bug stems from an incomplete fix, allowing attackers to steal credentials via SMB authentication when a malicious file is opened. Read ...
CVE-2026-32202 Microsoft Confirms Active Exploitation of Windows Shell
The Windows Shell vulnerability CVE-2026-32202 is a clear example of how seemingly low-severity issues can become critical in real-world attacks. With active exploitation confirmed and ties to APT28, organizations must take immediate action.
Known Exploited Vulnerabilities Catalog - CISA
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catal…
Reducing the Significant Risk of Known Exploited Vulnerabilities - CISA
Learn about the importance of CISA's Known Exploited Vulnerability (KEV) catalog and how to use it to help build a collective resilience across the cybersecurity community.

🟢 CVE-2026-32202