The Cybersecurity and Infrastructure Security Agency (CISA) of the US has ordered government agencies to protect their Windows systems against a vulnerability used in zero-day attacks.
Tracked as CVE-2026-32202, the security flaw was reported by Internet security firm Akamai, which it described as a zero-click vulnerability left behind after Microsoft incompletely patched a remote code execution flaw (CVE-2026-21510) in February.
As CERT-UA revealed, the Russian group APT28 (also known as UAC-0001 and Fancy Bear) exploited CVE-2026-21510 in attacks against Ukraine and EU countries in December 2025 as part of a series of exploits targeting the LNK file flaw (CVE-20136-2126-21).
“Microsoft fixed the first RCE (CVE-2026-21510), the authentication enforcement flaw (CVE-2026-32202) remained. This gap between path resolution and trust verification left a zero-click identity theft vector through the use of auto-separated LNK files,” Akamai said in a Thursday report.
As Microsoft explains, remote attackers who successfully exploit the vulnerability in a sophisticated attack by sending “a malicious file that the victim will have to execute,” could “view sensitive information” on unpatched systems.
Microsoft marked the CVE-2026-3220 flaw as exploited in Sunday’s attack after BleepingComputer reached out last week to ask why the advisory issued on April 2026 Patch Tuesday had an exploit test of ‘Exploitation Found’ while the vulnerability was marked as not exploited.
A Microsoft spokesperson has not responded to a second email requesting more information about the CVE-2026-32202 attack, including whether the APT28 hackers have exploited this zero-click vulnerability again.
The Feds are ordered to finish on May 12
On Tuesday, CISA added CVE-2026-32202 to its catalog known as Known Exploited Vulnerabilities (KEV), ordering the agencies of the Federal Civilian Executive Branch (FCEB) to install Windows endpoints and servers within two weeks, on May 12, as ordered by Binding Operational Directive (BOD) 22-01.
“This type of vulnerability is a common attack by malicious actors and poses a significant risk to government business,” the cybersecurity agency warned.
“Use mitigations in each vendor’s instructions, follow applicable BOD 22-01 guidelines for cloud services, or stop using the product if mitigations are not available.”
Although BOD 22-01 applies only to US government agencies, CISA urged all security teams to prioritize deployment of CVE-2026-32202 patches and secure their organizations’ networks as soon as possible.
Threat actors are also actively exploiting three recently disclosed Windows security vulnerabilities (called BlueHammer, RedSun, and UnDefend) in attacks aimed at gaining SYSTEM or elevated administrative privileges, the latter two of which are pending patches.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
