CISA has ordered federal agencies to patch Windows endpoints and servers for a zero-click vulnerability tracked as CVE-2026-32202 that Akamai said remained after an incomplete Microsoft fix for CVE-2026-21510. The flaw is linked to prior APT28 activity and was added to CISA’s KEV catalog with a May 12 deadline under BOD 22-01, with CISA urging all organizations to prioritize remediation. #CVE-2026-32202 #APT28
Keypoints
- CISA added CVE-2026-32202 to its KEV catalog and ordered FCEB agencies to patch by May 12 under BOD 22-01.
- Akamai reported CVE-2026-32202 as a zero-click credential-theft vector left after Microsoft’s incomplete patch for CVE-2026-21510.
- CERT‑UA linked APT28 to exploitation of CVE-2026-21510 in December 2025 as part of an exploit chain that also targeted LNK flaw CVE-2026-21513.
- Microsoft flagged exploitation and warned attackers could view sensitive information on unpatched systems, while details about APT28’s use of CVE-2026-32202 remain unclear.
- Organizations are urged to apply vendor mitigations or discontinue affected products, as actors also exploit other Windows flaws like BlueHammer, RedSun, and UnDefend.