Windows Shell Spoofing Vulnerability Added to CISA KEV (CVE-2026-32202)
Microsoft's Windows Shell contains a protection mechanism failure (a flaw where a safeguard that should work does not function as intended) that can be abused for network-based spoofing (impersonation). CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog of flaws confirmed to be exploited in the wild.
Key facts
- CVE IDCVE-2026-32202
- CVSS base score4.3 MEDIUM
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Affected (vendor / product)Microsoft Windows
- CWECWE-693
- ExploitationListed in CISA KEV (exploitation confirmed)
- Remediation due2026-05-12 (U.S. federal civilian agencies, BOD 22-01)
Key points
- Affects Microsoft Windows (Windows Shell); the weakness type is a protection mechanism failure (a safeguard that should work does not function correctly).
- An unauthorized attacker could perform spoofing (impersonation or deceptive display) over a network.
- NVD rates the severity at CVSS 3.1 4.3 (Medium); exploitation requires user interaction (UI:R).
- CISA added it to the KEV catalog (vulnerabilities confirmed exploited in the wild) on April 28, 2026, with a remediation due date of May 12, 2026.
- Even with a moderate score, KEV's principle is to prioritize remediation once exploitation is confirmed.
Windows Shell is a central part of Windows that underpins how people operate their computers, including the desktop and File Explorer. A protection mechanism failure means that a safeguard meant to prevent improper actions or deception does not function as intended. Because of this flaw, an attacker could carry out spoofing over a network, presenting deceptive displays or information that appear to be legitimate.
NVD rates the severity at CVSS 4.3 (Medium), and exploitation requires some action by the user (UI:R). While the score is moderate, what matters most here is that the vulnerability appears in CISA's KEV catalog. KEV lists only vulnerabilities that have been confirmed as actually used in attacks, not merely theoretical risks, so inclusion signals that remediation should be a high priority.
Spoofing on its own does not always cause major harm, but by misleading a user's judgment with a deceptive display it can lead to real damage when combined with techniques such as phishing (tricking people into giving up information by posing as a trusted site or sender). For U.S. federal agencies, Binding Operational Directive (BOD) 22-01 requires applying mitigations per the vendor's instructions, and if mitigations are not available, discontinuing use of the affected product is presented as an option. The core idea behind KEV is that even a moderate score warrants prompt action once exploitation has been confirmed.
Why it matters
Because Windows Shell is a foundational component used routinely across many environments, the potential scope is broad. Spoofing can mislead users with deceptive displays and, combined with techniques like phishing, can contribute to outcomes such as information theft. Since KEV inclusion means exploitation has been confirmed, organizations are advised to treat applying the vendor's mitigations as a high priority.
FAQ
What is spoofing?
If the CVSS score is Medium (4.3), why does it matter?
What action is required?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).