CISA Orders Feds to Patch Exploited Windows Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency orders federal agencies to patch Windows systems against CVE-2026-32202, a vulnerability exploited in zero-day attacks.

Akamai reports the flaw as a zero-click vulnerability remaining after Microsoft incompletely patched a remote code execution issue, CVE-2026-21510, in February. CERT-UA states that Russian APT28 exploited CVE-2026-21510 in December 2025 attacks on Ukraine and EU countries, chaining it with CVE-2026-21513 targeting an LNK file flaw. Akamai describes a gap between path resolution and trust verification enabling zero-click credential theft via auto-parsed LNK files.

Microsoft explains that remote attackers exploit the low-complexity flaw by sending a malicious file for the victim to execute, allowing viewing of sensitive information on unpatched systems. Microsoft flagged CVE-2026-32202 as exploited on Sunday following BleepingComputer's inquiry about its April 2026 Patch Tuesday advisory.

CISA adds the flaw to its Known Exploited Vulnerabilities Catalog on Tuesday, requiring Federal Civilian Executive Branch agencies to patch endpoints and servers by May 12 under Binding Operational Directive 22-01. CISA warns of significant risks and urges all organizations to apply patches immediately. Threat actors also exploit three other recent Windows flaws dubbed BlueHammer, RedSun, and UnDefend.