TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The Hacker News

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

[email protected] (The Hacker News) · 2026-04-28 · Read original ↗

ATT&CK techniques detected

4 predictions
T1187Forced Authentication
86%
"the attacker ' s server and automatically fetch the cpl file by resolving the universal naming convention ( unc ) path and initiating an smb connection without requiring user interaction. " when that path is a unc path ( like ' \ \ attacker. com \ share \ payload. cpl ' ), window…"
T1557.001Name Resolution Poisoning and SMB Relay
62%
"the attacker ' s server and automatically fetch the cpl file by resolving the universal naming convention ( unc ) path and initiating an smb connection without requiring user interaction. " when that path is a unc path ( like ' \ \ attacker. com \ share \ payload. cpl ' ), window…"
T1068Exploitation for Privilege Escalation
55%
"microsoft confirms active exploitation of windows shell cve - 2026 - 32202 microsoft on monday revised its advisory for a now - patched, high - severity security flaw impacting windows shell to acknowledge that it has been actively exploited in the wild. the vulnerability in ques…"
T1059.003Windows Command Shell
33%
"microsoft confirms active exploitation of windows shell cve - 2026 - 32202 microsoft on monday revised its advisory for a now - patched, high - severity security flaw impacting windows shell to acknowledge that it has been actively exploited in the wild. the vulnerability in ques…"

Summary

Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been actively exploited in the wild. The vulnerability in question is CVE-2026-32202 (CVSS score: 4.3), a spoofing vulnerability that could allow an attacker to access sensitive information. It was addressed as part of its Patch Tuesday update for this