[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2026-32202: Microsoft Windows Protection Mechanism Failure Vulnerability

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Tue Apr 28 12:32:40 PDT 2026 

Good afternoon,

The SOC Services team is reporting on the vulnerability CVE-2026-32202: Microsoft Windows Protection Mechanism Failure Vulnerability affecting Enterprise-wide supported versions of Windows and Windows Server. Because of confirmed active exploitation by threat actors APT28 (Fancy Bear) to bypass security features and steal NTLMv2 hashes, we are providing this in-depth information.

History: Disclosed on April 14, 2026, and updated on April 27, 2026, to acknowledge active exploitation. The CVSS v3.x base score is 4.3 (MEDIUM) as assigned by CISA-ADP.
Affected Versions

  *   Windows 10 Version 1607, 1809, 21H2, 22H2
  *   Windows 11 Version 22H2, 23H2, 24H2, 25H2, 26H1
  *   Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2025

Fixed Versions

  *   April 2026 Security Update (and subsequent cumulative updates)

Vendor Advisory: Windows Shell Spoofing Vulnerability - CVE-2026-32202<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202>

Intelligence: On April 28, 2026, CISA confirmed the vulnerability in the Known Exploited Vulnerabilities Catalog. This vulnerability has been observed in combination with CVE-2026-21510 and CVE-2026-21513.

Exploitability: Network Exploitability
Complexity: Low
User Interaction: Required
Remotely Exploitable: Yes
Proof of Concept: Not publicly disclosed
Zero Day: No

Workarounds: Implement network segmentation to limit exposure of vulnerable systems, apply defense-in-depth strategies including web filtering and email security to reduce attack surface, consider restricting Windows Shell functionality through Group Policy where operationally feasible until patching is complete.
How it Works: An attacker crafts malicious network traffic or content targeting the Windows Shell component in which the victim interacts with the malicious content (user interaction required) and the protection mechanisms in Windows Shell fails to properly detect or block the spoofing attempt, allowing the attacker to successfully spoof content or identity, potentially leading to limited confidentiality impact.
Post-Exploit Impact:

  *   Credential theft (Net-NTLMv2 hashes) leading to offline cracking or NTLM relay attacks (CWE-693)

Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
Behavior
Unexpected outbound SMB traffic (Port 445) from explorer.exe to untrusted external IP addresses
Indicates authentication coercion attempt
SentinelOne
Tenable Plugins: As of April 28th, Tenable has released plugins to detect this vulnerability. Due to the number of plugins available, we are providing the URL (https://www.tenable.com/cve/CVE-2026-32202/plugins) to the plugins instead of posting them individually.
Recommended Actions:

Date Added to KEV Catalog: April 28, 2026
Due Date for Remediation: May 12, 2026

  *   Prioritize patching of all Windows workstations and servers with the April 2026 Security Update
  *   Block outbound SMB (TCP 445) at the perimeter firewall
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DCD70A.E4562D50]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260428/5cb4017d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260428/5cb4017d/attachment-0001.png>

More information about the CDP-development mailing list