CISA Orders Federal Agencies to Patch Zero‑Day Windows NTLM Hash Leak (CVE‑2026‑32202) Exploited by APT28
What Happened – The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑32202 to its Known Exploited Vulnerabilities (KEV) catalog and issued a Binding Operational Directive requiring all Federal Civilian Executive Branch agencies to apply the Microsoft patch by May 12, 2026. The flaw is a zero‑click NTLM‑hash leak that enables pass‑the‑hash attacks and was linked to the Russian APT28 (Fancy Bear) group, which previously leveraged a related RCE bug (CVE‑2026‑21510) in Ukraine and EU targets.
Why It Matters for TPRM
- Exploited zero‑day vulnerabilities can cascade through supply‑chain relationships, exposing downstream vendors and customers.
- NTLM hash theft enables lateral movement, increasing the risk of data exfiltration from third‑party environments.
- Federal‑mandated patch timelines set a de‑facto industry benchmark; non‑compliant partners may face heightened scrutiny.
Who Is Affected – Federal agencies, their contractors, and any organization that runs supported Windows endpoints or servers, especially those handling sensitive government data.
Recommended Actions
- Verify that all Windows assets (servers, workstations, virtual machines) are patched for CVE‑2026‑32202.
- Review contracts with Microsoft‑based service providers for compliance with the CISA directive.
- Conduct NTLM‑hash hardening: enforce SMB signing, disable NTLM where possible, and monitor for anomalous pass‑the‑hash activity.
Technical Notes – The vulnerability stems from an incomplete fix for a prior remote‑code‑execution bug (CVE‑2026‑21510). Attackers can deliver a malicious file that, when opened, silently extracts NTLM hashes without user interaction. Exploited in low‑complexity, zero‑click attacks; data at risk includes credential hashes, internal network topology, and any data accessed with compromised accounts. Source: BleepingComputer