Russia exploiting Windows zero‑days

Windows has a new zero-day problem, and the uncomfortable part is not just the bug itself. It’s the chain behind it. Researchers say CVE-2026-32202 — a Windows Shell spoofing flaw now in CISA’s Known Exploited Vulnerabilities catalog — appears to have emerged from an incomplete Microsoft fix for an earlier issue that Akamai ties to APT28, the Russian military intelligence hacking group better known as Fancy Bear. That turns a routine “patch now” story into a bigger one about how state-backed tradecraft can keep paying off even after defenders think the hole is closed. (cisa.gov) ### What is the bug, in plain English? CVE-2026-32202 is a Windows Shell protection-mechanism failure. In practice, that means Windows can be tricked while handling a file or shortcut path in a way that makes a victim machine try to authenticate to an attacker-controlled server. The user may not need to open the file at all — browsing to a folder or previewing content can be enough in some attack paths(cisa.gov)s actively exploited. (cisa.gov) ### Why do people keep calling it “zero-click”? Because the valuable step for the attacker is the coerced authentication, not convincing the victim to launch malware. Akamai says the flaw can trigger NTLM authentication automatically over SMB. Think of it like getting Windows to reflexively show an ID badge to the wrong door. The attacker may not get code execution from that alone, but stolen or relayed credentials can still open plenty of doors in a real network. (akamai.com) ### Where does Russia come in? The strongest link is the predecessor bug. Akamai says CVE-2026-32202 was created by an incomplete patch for CVE-2026-21510, which it describes as an APT28 zero-day. APT28 is the GRU-linked Russian state group that UK and allied agencies have repeatedly tied to credential theft and network-intrusion campaigns. So the claim is not that Mi(akamai.com)or an exploit chain already associated with APT28. (akamai.com) ### Why is an incomplete patch such a big deal? Because it means defenders can do the right thing and still be exposed. Akamai’s point is that Microsoft’s February fix for CVE-2026-21510 closed one path but left behind enough of the underlying behavior to create a fresh zero-day, CVE-2026-32202. That is the catch here — patching reduced risk, but it did not fully remove the primitive attackers wanted. (akamai.com) ### What did CISA do? CISA added CVE-2026-32202 to the KEV catalog on April 30, 2026. For U.S. federal civilian agencies, that set a remediation deadline of May 3, 2026 under Binding Operational Directive 22-01. CISA uses KEV for flaws with evidence of real-world exploitation, so inclusion is basically the government saying this is not theoretical anymore. (akamai.com)lf. The practical guidance around this class of bug is to patch fast, but also reduce or disable NTLM where possible, restrict outbound SMB, use SMB signing and related hardening controls, and watch for unusual authentication traffic. If the attack goal is credential coercion, defenders need to break the follow-on steps too — not just the initial trigger. That is why this story feels bigger than one CVE number. (akamai.com) ### So what’s the bottom line? This is a Windows zero-day with real exploitation, but the more important lesson is structural. A Russian-linked espionage toolset appears to have exposed a weakness, the first fix was incomplete, and now defenders are cleaning up the second-order bug. That’s why security teams are reacting so urgently — not because Windows flaws are rar(akamai.com)atch Tuesday. (akamai.com)