CVE-2026-32202: Which Endpoints in Your Fleet Still Lack the Patch?

The CISA Known Exploited Vulnerabilities deadline for CVE-2026-32202 expires today — May 12, 2026. Federal agencies must patch by the end of the day. But CISA KEV deadlines are also a reliable signal for every IT team in the private sector: this vulnerability is active, and attackers are already using it.

The flaw is a zero-click NTLM hash leak. A user simply opens a folder containing a malicious LNK file — no interaction, no warning. Windows automatically sends the user’s Net-NTLMv2 credential hash to an attacker-controlled SMB server. APT28, the Russian state-sponsored group, is actively exploiting it against EU and Ukraine targets, according to analysis published by Akamai.

The problem is compounded by history. Microsoft’s February 2026 patch for the closely related CVE-2026-21510 turned out to be incomplete. CVE-2026-32202 is the continuation of that same attack surface. Organizations that believe they patched this in February almost certainly have not.

This article explains the attack path and shows how CapaOne Endpoint Management Platform identifies exactly which endpoints in your fleet still lack the critical April patch — and how Privilege Manager limits the blast radius if a hash is captured.

What the Attack Actually Does — and Why It Survives Partial Patches

NTLM hash relay is not a new technique. What makes CVE-2026-32202 notable is the delivery mechanism: a malicious Windows shortcut file (.LNK) placed inside a folder. The moment Windows Explorer renders the folder — no double-click needed — the OS attempts to resolve resources referenced by the LNK file. That resolution triggers an outbound SMB request that carries the user’s Net-NTLMv2 hash to an external server.

From that point, the attacker captures the hash and uses it in a relay attack against internal services. Web applications, file shares, and internal APIs that accept NTLM authentication become accessible without ever cracking a password.

The February patch for CVE-2026-21510 blocked one vector. Akamai’s research team identified the incomplete fix and disclosed CVE-2026-32202 as a bypass. Microsoft issued the corrective patch in April 2026. Organizations that ran the February Patch Tuesday cycle and assumed NTLM hash relay was covered are mistaken — the April update is the one that matters.

The ENISA Threat Landscape report consistently identifies credential theft via relay attacks as one of the highest-volume initial access methods against European organizations. CVE-2026-32202 is a textbook example of that category.

How CapaOne Identifies Exposure Across Your Fleet

The first operational question when a critical CVE drops is not theoretical — it is: how many of our endpoints are missing this patch right now? Without a unified view, IT teams pull reports from multiple tools, cross-reference patch logs, and build spreadsheets. That process takes hours. During active exploitation, hours matter.

CapaOne’s Security Monitor provides a continuously updated CVE-based vulnerability inventory across every managed endpoint. The moment the April update is indexed, Security Monitor maps which devices have received it and which remain exposed. You see the results in a single prioritized queue — filtered by severity, device group, site, or business unit.

Relevant fields visible in CapaOne’s vulnerability dashboard include the installed Windows version per device, the patch date of the last cumulative update, and whether the specific KB article associated with CVE-2026-32202 is present. No manual cross-referencing. No spreadsheet.

For organizations managing multiple sites or business units, the cohort view groups exposure by hardware model, OS version, or tag — so IT administrators can immediately identify whether the problem concentrates in a particular location or device cohort.

How Privilege Manager Limits the Blast Radius

The goal is to patch every endpoint before the CISA deadline. It is rarely the reality for large, distributed fleets. Devices are offline. Users are traveling. Managed exceptions exist. A small percentage of endpoints will miss the patch window.

This is where Privilege Manager provides a meaningful secondary control. CVE-2026-32202 exploits NTLM hash relay to authenticate to internal services. The damage depends on what those credentials can access. Accounts operating with standing local administrator rights provide attackers with substantially higher-value targets — lateral movement is easier, persistence mechanisms are broader, and privilege escalation becomes trivial.

CapaOne’s Privilege Manager enforces just-in-time elevation — no user holds standing local admin rights by default. Elevation is granted by policy, scoped to a specific executable, limited in duration, and logged in full. If a hash from a standard user account is captured and relayed, the attacker operates with standard user permissions. That does not make compromise harmless, but it substantially reduces the available attack paths.

The combination — patch prioritization from Security Monitor and blast radius reduction from Privilege Manager — is the operational response that aligns with ENISA’s defense-in-depth approach to credential-based attacks.

NIS2 Reporting: Turning Remediation Evidence into Audit Documentation

For organizations subject to NIS2, CVE-2026-32202 is not just a patching task — it is a documentation obligation. NIS2 Article 21 requires organizations to maintain and demonstrate adequate technical measures to address identified vulnerabilities. Active APT28 exploitation means regulators and cyber insurers will ask: Did you know about this vulnerability, and what did you do about it?

CapaOne generates exportable CSV evidence at the device level — patch date, installed version, remediation action, and timestamp. The same dataset supports NIS2 reporting, internal governance reviews, and cyber insurance questionnaires without additional manual extraction.

The full audit trail from vulnerability identification through remediation confirmation is available in a format auditors can accept directly. That removes the scramble that typically follows a regulator inquiry.

Book a demo of CapaOne Endpoint Management Platform here to see how Security Monitor identifies exposure across your fleet — or start a free trial and explore the platform hands-on.