CISA orders federal agencies to patch exploited Windows flaw by May 12

9 articles · Updated · Computerworld · May 1

Microsoft said CVE-2026-32202, a Windows shell spoofing bug, can expose sensitive data but not let attackers take full system control; suspected perpetrators include Russia-linked hackers.
CISA set a 14-day deadline under Binding Operational Directive 22-01, rather than an emergency 48-72 hour order, partly because Microsoft rated the flaw's severity at 4.3.
Experts warned the patch gap raises risk, especially as the issue stems from an incomplete fix for CVE-2026-21510 and organisations often delay updates despite temporary mitigations such as blocking ports.

How did a zero-click credential theft flaw survive a previous Microsoft security patch, exposing government targets?

When a low CVSS score hides a state-sponsored threat, is the rating system itself a security risk?

With AI weaponizing flaws in minutes, is the traditional software patching model now fundamentally broken?