ON 28 April 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑32202 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Microsoft Windows and is named the Microsoft Windows Protection Mechanism Failure Vulnerability. It permits an unauthenticated attacker on the network to spoof the system by exploiting a failure in Windows Shell’s protection mechanism.
The vulnerability is a protection‑mechanism bypass in the Windows Shell component. Successful exploitation enables network‑based spoofing, allowing an attacker to masquerade as a trusted entity. The CVSS v3.1 base score is 4.3, rating the issue as Medium severity. Microsoft has released a patch; advisory and update guidance are available via the MSRC update guide. Exploitation occurs via network traffic that interferes with the Shell’s object handling, leading to the spoofing condition.
CISA’s inclusion indicates that active exploitation of CVE‑2026‑32202 has been observed in the wild. No public reports link this vulnerability to ransomware campaigns at this time. Federal civilian executive branch (FCEB) agencies must apply the required mitigations by 12 May 2026, the remediation deadline set by CISA. Organisations should monitor network logs for anomalous Shell‑related activity as a precautionary measure.
CISA directs FCEB agencies to apply mitigations per vendor instructions, follow applicable Binding Operational Directive (BOD) 22‑01 guidance for cloud services, or discontinue use of the product if mitigations cannot be applied. While the directive binds FCEB organisations, all other organisations should review their Windows environments for exposure and implement the vendor’s patch or mitigations as a precaution.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-32202 and the CISA KEV catalogue.