Image: Generated via Google’s Nano Banana
Microsoft confirmed a Windows zero-click flaw tied to an incomplete patch is being exploited, putting credentials at risk for unpatched users.
A Windows patch closed one door but left another cracked open.
Microsoft has confirmed that CVE-2026-32202, a recently patched Windows vulnerability, has been exploited in the wild. The flaw stems from an incomplete February fix and can allow attackers to steal credentials without requiring a user to open a malicious file.
The company released a patch on April 14 for the incomplete fix, but at the time, it categorized it as relatively low risk. New information now reveals that this already-patched vulnerability has been actively exploited, prompting the company to update its advisory to reflect the new data.
For IT teams, the case is a reminder that “patched” does not always mean “finished.” A flaw first treated as lower risk now requires urgent attention.
To fully understand what’s happening, we need to examine how it began.
In January, security researchers at Akamai spotted APT28, also known as “Fancy Bear,” actively exploiting a flaw in Windows machines. The flaw is tagged as CVE-2026-21510 and was reported via a responsible disclosure to Microsoft, which patched it through its February Patch Tuesday update. The Remote Code Execution risk was neutralized, and Windows Defender SmartScreen was back in the way.
But the door didn’t fully close.
According to Akamai researcher Maor Dahan, who discovered the exploit, deeper analysis of the February Patch revealed something more troubling than the vulnerability it patched. It found that the fix only addressed the most visible part of the attack while leaving a quieter path open.
With this newly discovered vulnerability, threat actors no longer needed users to open the file. Simply browsing to a folder containing a malicious file was now enough to hand over a user’s credentials. This zero-click vulnerability became CVE-2026-32202.
Akamai again reported the finding to the tech giant, which patched it with the April 14 Patch Tuesday update. However, during the patch, Microsoft assessed it as relatively low-risk, assigning it a CVSS base score of 4.3. To the company, its exploitability was possible, but not active.
That assessment didn’t hold for long. On Monday, Microsoft revised its advisory, confirming that CVE-2026-32202 had already been exploited in the wild, and that its “Exploitability Index, Exploited flag, and CVSS vector” from April 14 had simply been wrong.
Microsoft has since released the patch for that incomplete fix, and just yesterday, adjusted its advisory to reflect what it now sees as a serious exploit that requires urgent attention.
The exploit is delivered via phishing, and while the one addressed in February required users to click or execute the malicious file, this one requires no clicks. Simply navigating to the folder where it is saved is enough to pass off your credentials.
Such is possible because of a Windows bug: the moment Windows Explorer renders the folder it sits in to display its icon, your system quietly reaches out to the attacker’s server with your credentials. While this is normal behavior, the presence of malware configured to exploit it is what makes it dangerous.
And because the February patch addressed file execution issues with SmartScreen detection and blocking, a silent bypass was still able to work even after that earlier patch.
The most important step is to install Microsoft’s April 14 patch, especially now that CVE-2026-32202 has been confirmed as actively exploited.
IT teams should also review phishing defenses, tighten attachment filtering, and warn users against downloading files from unexpected emails. Because the flaw can leak credentials when Windows Explorer renders a malicious file, admins should monitor for unusual outbound authentication attempts and restrict outbound NTLM traffic where possible.
Any suspected exposed credentials should be rotated quickly, especially for privileged accounts.
Also read: Our roundup of 2026 cyberattacks shows how breaches, phishing risks, and software flaws are shaping this year’s security landscape.
Joseph is a Technical Writer with about 3 years of experience in the industry, also advancing a career in cyber threat intelligence. He is passionate about the responsible use of technology, a passion that led him into cybersecurity. As an undergrad, he leads a novel community of technology enthusiasts at his school, NOUN, where he guides and shares resources for beginners in tech. His writing experience includes writing on a diverse range of topics, from consumer tech to startups and tutorials. Additionally, he periodically shares case studies and research reports on cybersecurity on his social media pages.
