The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies patch a Windows zero-day vulnerability tracked as CVE-2026-32202. This zero-click NTLM hash leak flaw emerged from an incomplete February fix for a related remote code execution vulnerability (CVE-2026-21510).
Discovered by Akamai, CVE-2026-32202 allows attackers to steal NTLM hashes via pass-the-hash attacks, enabling lateral movement within networks. The flaw can be triggered simply by browsing a folder containing a malicious LNK shortcut file — no action beyond navigating to the directory is required.
CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on April 29, mandating Federal Civilian Executive Branch agencies secure Windows endpoints by May 12 under BOD 22-01. While the directive applies specifically to federal agencies, CISA urged all organizations to prioritize this patch given confirmed active exploitation.
Microsoft included the fix in its April Patch Tuesday update but initially assigned an incorrect exploitability assessment. The advisory was updated on April 27 to confirm exploitation in the wild. Organizations should immediately verify that April 2026 security updates have been applied.
Source: The Hacker News
