The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure Windows systems against a vulnerability tracked as CVE-2026-32202 after cybersecurity firm Akamai reported it as a zero-click NTLM hash leak left behind when Microsoft incompletely patched a February remote code execution flaw (CVE-2026-21510). CISA added CVE-2026-32202 to its Known Exploited Vulnerabilities (KEV) Catalog and mandated that Federal Civilian Executive Branch agencies patch affected endpoints and servers within two weeks, by May 12, under Binding Operational Directive 22-01.
What CISA required
CISA warned that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. The agency instructed agencies to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While BOD 22-01 applies only to U.S. federal agencies, CISA urged all security teams to prioritize deploying patches for CVE-2026-32202 and to secure their organizations’ networks as soon as possible.
Details from Akamai and Microsoft
Akamai described CVE-2026-32202 as a zero-click NTLM hash leak that remained after Microsoft incompletely patched CVE-2026-21510 in February. Akamai explained that the flaw can be exploited in pass-the-hash attacks to steal NTLM hashes, which attackers can later use to authenticate as the compromised user, enabling lateral movement across networks or theft of sensitive data. Microsoft said that remote attackers who successfully exploit CVE-2026-32202 in low-complexity attacks by sending “the victim a malicious file that the victim would have to execute,” could “view some sensitive information” on unpatched systems.
Exploitation context and attribution
CERT-UA had revealed that the Russian APT28 (also known as UAC-0001 and Fancy Bear) exploited CVE-2026-21510 in attacks against Ukraine and EU countries in December 2025 as part of an exploit chain that also targeted an LNK file flaw (CVE-2026-21513). Microsoft later flagged CVE-2026-32202 as exploited in attacks; when asked whether APT28 hackers also exploited this zero-click vulnerability, Microsoft said they have not identified evidence tying CVE-2026-32202 to APT28 activity based on what they have observed to date.
Related active exploitation
The reporting also noted that threat actors are actively exploiting three recently disclosed Windows security vulnerabilities—dubbed BlueHammer, RedSun, and UnDefend—in attacks aimed at gaining SYSTEM or elevated administrator privileges. According to the source, RedSun and UnDefend were still awaiting patches at the time of reporting.
Licensed under CC BY-ND 4.0 International
CISA: Zimbra XSS (CVE-2025-48700) Now Exploited — 10,500+ Servers Vulnerable
Over 10,000 instances of the Zimbra Collaboration Suite are exposed online and…
Hackers Leverage Microsoft Teams to Breach Organizations: Inside UNC6692’s SNOW Campaign
In late 2025 and into early 2026, a sophisticated intrusion campaign used…
109 Fake GitHub Repositories Used to Deliver SmartLoader and StealC Malware
A large-scale campaign recently uncovered shows how attackers abused the trust developers…
Google Cloud and Wiz Turn Defense Into an Agentic Response to AI-Powered Attacks
Attackers and defenders are now playing with the same toys: powerful AI…