CVE-2026-32202: Windows Shell Spoofing Flaw Added to CISA KEV

"Microsoft Windows Shell contains a protection mechanism failure (CWE-693) that lets an unauthorized attacker perform spoofing over a network, and CISA added it to the Known Exploited Vulnerabilities catalog on…"

Microsoft Windows Shell contains a protection mechanism failure (CWE-693) that lets an unauthorized attacker perform spoofing over a network, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-04-28.

What Is It

CVE-2026-32202 is a protection mechanism failure in Windows Shell. Per Microsoft and NVD, an unauthorized attacker can leverage the weakness to perform spoofing over a network. The CVSS 3.1 base score is 4.3 (MEDIUM), vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, network-reachable, low complexity, no privileges required, but user interaction is needed. Impact is limited to confidentiality (LOW); there is no integrity or availability impact recorded. The underlying weakness class is CWE-693 (Protection Mechanism Failure).

Why It Matters

CISA added CVE-2026-32202 to the KEV catalog on 2026-04-28, which is the federal signal that the flaw is being actively exploited in the wild. Ransomware association is listed as "Unknown" in the KEV entry; there is no confirmed ransomware campaign tied to it at this time, but KEV inclusion alone establishes confirmed in-the-wild exploitation. Because the attack vector is network-based and requires only that a user interact with attacker-supplied content, this is a realistic phishing and social-engineering primitive against any unpatched Windows endpoint or server.

What's Vulnerable

A broad swath of supported Windows builds is affected, per the NVD CPE list:

Windows 10 1607, 1809, 21H2, 22H2 (x86, x64, arm64 as applicable)
Windows 11 23H2, 24H2, 25H2, 26H1 (x64 and arm64)
Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025

Fixed builds (versions equal to or greater than the listed cutoffs) include 10.0.14393.9060 (1607 / Server 2016), 10.0.17763.8644 (1809 / Server 2019), 10.0.19044.7184 (21H2), 10.0.19045.7184 (22H2), 10.0.22631.6936 (Win11 23H2), 10.0.26100.8246 (Win11 24H2), 10.0.26200.8246 (Win11 25H2), 10.0.28000.1836 (Win11 26H1), 10.0.20348.5020 (Server 2022), 10.0.25398.2274 (Server 2022 23H2), and 10.0.26100.32690 (Server 2025).

Patch Status

Microsoft has shipped updates via MSRC. CISA's required action, due 2026-05-12, is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Federal civilian agencies are bound by the BOD 22-01 timeline; everyone else should treat the same deadline as the practical baseline given confirmed exploitation.

Sources

Microsoft Security Response Center; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202
NVD CVE Record; https://nvd.nist.gov/vuln/detail/CVE-2026-32202
CISA Known Exploited Vulnerabilities Catalog; https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-32202