CVE-2026-32202 is a zero-click Windows Shell spoofing vulnerability being actively exploited, which causes victim systems to authenticate to an attacker's server; it stems from an incomplete patch for CVE-2026-21510. It has a CVSS 3.1 score of 4.3 (MEDIUM). Affected versions include Windows 10 1607 prior to 10.0.14393.9060, Windows 10 1809 prior to 10.0.17763.8644, and Windows 10 21H2 prior to 10.0.19044.7184, among others listed in the NVD data.
Attackers are exploiting CVE-2026-32202, a zero-click Windows Shell spoofing vulnerability that causes victims’ systems to authenticate the attacker’s server, CISA and Microsoft have warned. About CVE-2026-32202 CVE-2026-32202 stems from an incomplete patch for CVE-2026-21510, a vulnerability that, in conjunction with CVE-2026-21513, has been exploited by APT28 (aka Fancy Bear) via weaponized LNK files that bypass Windows security features. Microsoft fixed those two flaws in February 2026, successfully preventing the initial remote code execution and SmartScreen … More → The post CISA, Microsoft warn of active exploitation of Windows Shell vulnerability (CVE-2026-32202) appeared first on Help Net Security .