CVE-2026-32202
MEDIUM · 4.3 KEV EPSS 7.2%KEV confirmed + vendor patching + active exploitation claims, but no public PoC details yet.
What: Windows Shell protection mechanism failure (CVE-2026-32202, CVSS 4.3, EPSS 0.07) allows remote spoofing and zero-click NTLM credential theft via SMB.
Why it matters: KEV-listed 2026-04-28; Microsoft confirmed active exploitation in-the-wild; CISA issued patch deadline (May 12); researchers flag CVSS underestimation—zero-click credential relay enabling domain lateral movement. Incomplete patch of prior flaw means unpatched systems remain exposed.
Where it's seen: Threat intel and SOC teams reporting APT28 exploitation; vendor patching alerts (April Patch Tuesday); federal remediation timeline; security practitioners debating CVSS accuracy and SMB blocking strategies; no public PoC but exploitation confirmed by Microsoft/CISA.
RISK: HIGH — KEV-listed, zero-click, active in-the-wild exploitation, domain lateral movement enablement.
AttackerKB
view on attackerkb.com →Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.
Public PoCs on GitHub 8 repos
- nomi-sec/PoC-in-GitHub ★ 7688
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
- DarkFunct/TK-CVE-Repo ★ 49 · Python
TK-CVE-Repo
- DevGreick/devgreick ★ 1 · Python
- myseq/tracker ★ 0 · Python
Security Tracker
- virus-or-not/CVE-2026-32202 ★ 0 · Python
Windows Shell Spoofing Vulnerability
Articles & coverage 14 articles
- Windows zero-day CVE-2026-32202 confirmed as exploited - Notebookcheck News
# Windows zero-day CVE-2026-32202 confirmed as exploited. CVE-2026-32202 allows attackers to steal NTLMv2 hashes from Windows systems without any user interaction beyond browsing a folder. A Windows Shell vulnerability patched in this month's Patch Tuesday has been confirmed as actively exploited in the wild. The flaw exists because Microsoft's February 2026 fix for a related vulnerability left an
- CISA, Microsoft warn of active exploitation of Windows Shell vulnerability (CVE-2026-32202) - Help Net Security
**Help Net Security newsletters**: Daily and weekly news, cybersecurity jobs, open source projects, breaking news – **subscribe here!**. # CISA, Microsoft warn of active exploitation of Windows Shell vulnerability (CVE-2026-32202). Attackers are exploiting CVE-2026-32202, a zero-click Windows Shell spoofing vulnerability that causes victims’ systems to authenticate the attacker’s server, CISA and
- A Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202 | Akamai
3. A Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202. * Akamai researchers identified that an incomplete patch for CVE-2026-21510 (an APT28 exploit) created a new zero-click vulnerability: CVE-2026-32202. * While Microsoft's fix successfully prevented the initial remote code execution (RCE) and SmartScreen bypass, it left behind a zero-click authentication coerci
- Microsoft Confirms Windows Shell Vulnerability CVE-2026-32202 is ...
CVE-2026-32202 is a spoofing vulnerability that could let unauthorized access to sensitive information. The vulnerability was found to be
- Windows Shell Zero-Day Analysis | CVE-2026-32202 ... - YouTube
In this video, we take a deep dive into CVE-2026-32202, a critical Windows Shell vulnerability currently under active exploitation in the wild.
› NVD details 1 CWE ·1 vendor · 2 refs expand
Description
Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.
Weaknesses
Vendors
- microsoft
Products
- windows_10_1607
- windows_10_1809
- windows_10_21h2
- windows_10_22h2
- windows_11_23h2
- windows_11_24h2
- windows_11_25h2
- windows_11_26h1
- windows_server_2012
- windows_server_2016
- windows_server_2019
- windows_server_2022
- +2 more
References
Top posts driving the trend
- @eyalestrin.bsky.socialBluesky · 5/3/2026
Windows shell spoofing vulnerability puts sensitive data at risk (CVE-2026-32202) #patchmanagement
♥ 0 · ↻ 0 · 💬 0 
@eyalestrinX · 5/3/2026Windows shell spoofing vulnerability puts sensitive data at risk (CVE-2026-32202) https://t.co/WbXzfeEhvP #patchmanagement
♥ 0 · ↻ 0 · 💬 0
@ADKCyberX · 5/3/2026Microsoft Windows Protection Mechanism Failure (CVE-2026-32202) remains a known exploited issue. Businesses should follow vendor mitigation steps or guidance like BOD 22-01 to reduce risk by May 12, 2026. Staying updated helps protect your systems. #CyberSecurity
♥ 0 · ↻ 0 · 💬 0- @bigpoppaken.bsky.socialBluesky · 5/2/2026
Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 thehackernews.com/2026/04/micr...
♥ 0 · ↻ 0 · 💬 0 - @2rzikkbou3ntafnir2qmmse0gwz.activitypub.awakari.com.ap.brid.gyBluesky · 5/2/2026
Microsoft Shell Spoofing Zero-day Vulnerability What is the Attack? A newly disclosed vulnerability, CVE-2026-32202, has emerged due to an incomplete patch by Microsoft for a previously exploited r... Origin | Interest | Match
♥ 0 · ↻ 0 · 💬 0 - @etguenni.bsky.socialBluesky · 5/1/2026
Die zum 14. April 2024 geschlossene Windows Shell-Schwachstelle CVE-2026-32202 wird aktiv angegriffen borncity.com/blog/2026/05...
♥ 0 · ↻ 0 · 💬 0 - FO@FosoTweetsX · 5/1/2026
Windows Shell Exploitation: CISA and Microsoft are warning of active exploitation of a Windows Shell vulnerability (CVE-2026-32202). #cyber #CVE #microsoft
♥ 0 · ↻ 0 · 💬 0 - IN@inferlume_hqX · 5/1/2026
Priority order for today. cPanel CVE-2026-41940. SimpleHelp CVE-2024-57726 and CVE-2024-57728. Windows Shell CVE-2026-32202. ActiveMQ CVE-2026-34197. Linux Copy Fail CVE-2026-31431. Samsung MagicINFO CVE-2024-7399. D-Link DIR-823X CVE-2025-29635.
♥ 0 · ↻ 0 · 💬 1 - IN@inferlume_hqX · 5/1/2026
CVSS is 4.3 on CVE-2026-32202. Researchers say that is wrong. Zero-click credential theft that enables NTLM relay and domain-level lateral movement is not a 4.3 in any real deployment. Patch it and block outbound TCP 445 to non-domain hosts today.
♥ 0 · ↻ 0 · 💬 1 - IN@inferlume_hqX · 5/1/2026
Here is the problem with CVE-2026-32202. It is an incomplete patch bypass for an earlier Windows Shell flaw. If you patched the prior bug but skipped April Patch Tuesday, you are still exposed to the same attack chain.
♥ 0 · ↻ 0 · 💬 1 - IN@inferlume_hqX · 5/1/2026
CVE-2026-32202. Windows Shell zero-click. Navigating to a folder leaks your Net-NTLMv2 hash to an attacker server over SMB. No user click required. Microsoft and CISA confirm active exploitation. April Patch Tuesday fixes it.
♥ 0 · ↻ 0 · 💬 1 - ZY@ZyberWallSX · 5/1/2026
One malicious file. One double-click. Windows sends your NTLM hash to the attacker automatically. APT28-linked exploitation of CVE-2026-32202 is active right now. Patch. Block port 445. https://t.co/iHvi4ZpvUy #CyberSecurity #Windows #APT28
♥ 1 · ↻ 1 · 💬 0 - PA@PatronusCyberX · 5/1/2026
🚨 Active Windows Vulnerability Confirmed Microsoft says CVE-2026-32202 is being actively exploited following an incomplete earlier patch. Patronus is actively reviewing affected systems and applying updated patches. https://t.co/bMqpkkSMEw
♥ 0 · ↻ 0 · 💬 0 - PA@packetrat_X · 5/1/2026
🔍Monitoring Exploitation of Windows Shell CVE-2026-32202 https://t.co/IQXHrDw8AE Crafted a KQL query to monitor exploitation attempts of Windows Shell CVE-2026-32202. Detection engineering isn’t just about writing rules—it’s about mapping real-world pivots across https://t.co/2GmPgY7zFI
♥ 0 · ↻ 0 · 💬 0 - NE@newrockitX · 5/1/2026
🚨 Windows admins + SMB owners: CISA just added CVE-2026-32202 to the Known Exploited Vulnerabilities list—meaning it’s being used in real attacks. Patch ASAP (feds’ deadline: May 12). Need help patching + hardening? NEWROCKIT: https://t.co/YuH17kGdx1 https://t.co/AznWFqK30D
♥ 0 · ↻ 1 · 💬 0
