TP-EXP-2026-0015 CVE-2026-32202 medium Patched AI Draft

Microsoft Windows Shell Spoofing Vulnerability (CVE-2026-32202)

CVE CVE-2026-32202 Platform Microsoft Windows Type Spoofing

Severity MEDIUM

Status Patched

Zero-Day Confirmed

Disclosed April 14, 2026

Patched April 14, 2026

Researcher Undisclosed CISA KEV Listed

Severity Assessment

Exploitability: 6/10 — Network-accessible with no privilege requirement, but user interaction is required to trigger the vulnerability; active exploitation confirmed by CISA KEV listing
Impact: 4/10 — Microsoft and NVD describe spoofing over a network; CVSS records low confidentiality impact (C:L) and no integrity or availability impact (I:N/A:N)
Weaponization Risk: 7/10 — CISA KEV confirmation indicates real-world exploitation; the cited sources do not document the observed exploitation chain
Patch Urgency: 8/10 — CISA KEV listed with mandatory federal remediation deadline of 2026-05-12; apply Microsoft remediation across affected Windows systems
Detection Coverage: 4/10 — The cited sources do not document behavioral indicators or detection signatures for this CVE, so confirmation depends primarily on patch and exposure telemetry

Summary

CVE-2026-32202 is a medium-severity Windows Shell vulnerability classified under CWE-693 (Protection Mechanism Failure). Microsoft and NVD describe the issue as allowing an unauthorized attacker to perform spoofing over a network. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, with a 4.3 MEDIUM base score.

Microsoft published the MSRC advisory and NVD published the CVE entry on April 14, 2026. CISA added CVE-2026-32202 to the Known Exploited Vulnerabilities (KEV) catalog on April 28, 2026, with a mandatory federal remediation deadline of May 12, 2026, confirming active in-the-wild exploitation.

The vulnerability’s CVSS characteristics show network attack vector, low attack complexity, no privilege requirement, and required user interaction. The cited MSRC, NVD, and CISA sources do not document the exact delivery mechanism, the specific spoofing scenario, or detailed behavioral indicators.

Despite its medium CVSS score, CISA’s KEV listing means defenders should treat remediation as urgent. Organizations should apply Microsoft remediation guidance across affected Windows systems and verify compliance before the KEV due date.

Exploit Chain

User Interaction The CVSS vector (UI:R) confirms that exploitation requires user interaction. The specific interaction or delivery mechanism is not documented in the cited MSRC, NVD, or CISA sources.

Protection Mechanism Failure The vulnerability is classified as CWE-693 (Protection Mechanism Failure) in Windows Shell. The cited sources do not specify the affected Windows protection mechanism or the observed exploitation details.

Spoofing Impact Microsoft and NVD describe the impact as spoofing over a network. The CVSS impact metrics show low confidentiality impact (C:L) with no integrity or availability impact (I:N/A:N).

Detection Guidance

The cited MSRC, NVD, and CISA sources do not document specific behavioral indicators or detection signatures for CVE-2026-32202. The primary mitigation confirmed by the cited sources is applying Microsoft remediation guidance for affected Windows systems.

Detection Rule	Behavioral Indicator	Confidence
Patch Telemetry	Confirm Microsoft remediation for CVE-2026-32202 is applied across managed Windows endpoints via SCCM/Intune or equivalent compliance reporting	High

Organizations should monitor vendor and threat intelligence advisories for any CVE-specific behavioral indicators published after the initial disclosure date.

Indicators of Compromise

The cited MSRC, NVD, and CISA sources do not document CVE-specific indicators of compromise for CVE-2026-32202. No file hashes, registry keys, network signatures, or behavioral IOCs for this vulnerability have been established in the source set.

Disclosure Timeline

2026-04-14 — Microsoft publishes the MSRC advisory for CVE-2026-32202, describing a Windows Shell spoofing vulnerability
2026-04-14 — NVD publishes the CVE entry with CVSS 3.1 score of 4.3 (MEDIUM) and vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
2026-04-28 — CISA adds CVE-2026-32202 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation and setting a federal remediation deadline of 2026-05-12

Sources & References

CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-04-28
National Vulnerability Database: CVE-2026-32202 — National Vulnerability Database, 2026-04-14
Microsoft Security Response Center: CVE-2026-32202 — Microsoft Security Response Center, 2026-04-14