CISA has ordered federal agencies to secure their Windows systems against CVE-2026-32202, a flaw exploited in zero-day attacks. Reported by Akamai, it is a zero-click NTLM hash-leak vulnerability that remained after Microsoft only partially fixed an earlier remote-code-execution bug, CVE-2026-21510, in February.

Microsoft says a remote attacker can exploit CVE-2026-32202 in low-complexity attacks by sending the victim a malicious file that, once executed, exposes some sensitive information. Akamai explains the leaked NTLM hashes can be used in pass-the-hash attacks to authenticate as the compromised user, enabling lateral movement or data theft across a network.

The underlying CVE-2026-21510 has a notable history: Ukraine's CERT-UA reported that the Russian state group APT28 (also known as Fancy Bear) chained it with a separate LNK flaw, CVE-2026-21513, in attacks on Ukraine and EU countries in December 2025. Microsoft told reporters it has not, so far, tied the newer zero-click bug to APT28 activity.

On adding CVE-2026-32202 to its Known Exploited Vulnerabilities catalog, CISA gave Federal Civilian Executive Branch agencies until May 12 to patch under Binding Operational Directive 22-01, and urged all organizations to prioritize the update. Separately, attackers are exploiting three other recently disclosed Windows bugs — dubbed BlueHammer, RedSun, and UnDefend — with the latter two still awaiting fixes.