CISA orders feds to patch Windows flaw exploited as zero-day
by Sergiu Gatlan · BleepingComputerThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their Windows systems against a vulnerability exploited in zero-day attacks.
Tracked as CVE-2026-32202, this security flaw was reported by cybersecurity firm Akamai, which described it as a zero-click NTLM hash leak vulnerability left behind after Microsoft incompletely patched a remote code execution flaw (CVE-2026-21510) in February.
As CERT-UA revealed, the Russian APT28 (aka UAC-0001 and Fancy Bear) cyberespionage group exploited CVE-2026-21510 in attacks against Ukraine and EU countries in December 2025 as part of an exploit chain that also targeted a LNK file flaw (CVE-2026-21513).
Microsoft says that remote attackers who successfully exploit the CVE-2026-32202 vulnerability in low-complexity attacks by sending "the victim a malicious file that the victim would have to execute," could "view some sensitive information" on unpatched systems.
Akamai further explained in a Thursday report that this security flaw can be exploited in pass-the-hash attacks to steal NTLM hashes (hashed passwords), which are later used to authenticate as the compromised user, allowing attackers to spread laterally across the network or steal sensitive data.
Microsoft also flagged the CVE-2026-3220 flaw as exploited in attacks on Sunday after BleepingComputer reached out last week to ask why the advisory released during the April 2026 Patch Tuesday had an exploitability assessment of 'Exploitation Detected' while the vulnerability was flagged as not exploited.
A Microsoft spokesperson has yet to reply to a second email requesting more information about the CVE-2026-32202 attacks, including whether APT28 hackers also exploited this zero-click vulnerability.
Feds ordered to patch by May 12
On Tuesday, CISA added CVE-2026-32202 to its Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Windows endpoints and servers within two weeks, by May 12, as mandated by Binding Operational Directive (BOD) 22-01.
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned.
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
Although BOD 22-01 applies only to U.S. federal agencies, CISA has urged all security teams to prioritize deploying patches for CVE-2026-32202 and securing their organizations' networks as soon as possible.
Threat actors are also actively exploiting three recently disclosed Windows security vulnerabilities (dubbed BlueHammer, RedSun, and UnDefend) in attacks aimed at gaining SYSTEM or elevated administrator privileges, with the latter two still awaiting patches.
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.