CISA Orders Feds to Patch Windows Flaw Exploited as Zero-Day

The Cybersecurity and Infrastructure Security Agency (CISA) has escalated the risk posed by a newly disclosed Windows vulnerability, CVE‑2026‑32202, by placing it in the agency’s Known Exploited Vulnerabilities (KEV) catalog and issuing Binding Operational Directive 22‑01. Federal Civilian Executive Branch agencies now have a hard deadline of May 12 to apply Microsoft’s remediation, a timeline that compresses the usual patch cycle. The directive underscores how quickly a flaw can move from research disclosure to active exploitation, prompting government IT teams to prioritize deployment and validate remediation across both on‑premises and cloud workloads.

CVE‑2026‑32202 is a zero‑click NTLM hash‑leak vulnerability that survives an incomplete fix for the earlier remote‑code‑execution bug CVE‑2026‑21510. By delivering a malicious file that the victim merely opens, attackers can harvest NTLM password hashes and launch pass‑the‑hash attacks, granting lateral movement and potential access to sensitive data. Russian‑linked APT28, known for targeting Ukrainian and European entities, has previously weaponized the predecessor flaw, suggesting they may already have tools to chain the new exploit with other Windows weaknesses such as BlueHammer, RedSun and UnDefend.

The public‑sector warning serves as a bellwether for private enterprises, many of which run identical Windows stacks and often lag behind federal patch schedules. Security teams should treat the KEV listing as a de‑facto priority signal, accelerating vulnerability management, confirming that mitigations are applied, and monitoring for anomalous authentication attempts that indicate hash theft. Moreover, the episode highlights the value of threat‑intel sharing between agencies, vendors, and firms like Akamai, whose early disclosure helped surface the flaw. Proactive hardening, multi‑factor authentication, and network segmentation remain essential defenses against the evolving exploit chain.