Windows Shell spoofing exploited in wild (CVE-2026-32202) [PoC]

Actively exploited in the wild - CVE-2026-32202 is a medium severity spoofing vulnerability in Windows Shell across all currently supported Windows 10, Windows 11, and Windows Server versions that allows an unauthenticated attacker to trick a user into interacting with a spoofed network resource. Microsoft released a fix in the May 2026 Patch Tuesday update; apply immediately.

Overview

CVE-2026-32202 is a protection mechanism failure in Windows Shell (explorer.exe). An attacker who can reach a target system over the network can present a spoofed file share, device, or other network resource to the user. When the user clicks or interacts with the spoofed item, the attacker gains the ability to misrepresent the origin and trustworthiness of the resource.

The vulnerability requires user interaction - the attacker cannot force the interaction remotely. The attack complexity is LOW, and no prior authentication is required. Despite the relatively low CVSS score of 4.3, CISA has added this CVE to the Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. The Exploit Prediction Scoring System (EPSS) assigns a 0.1% probability of exploitation in the next 30 days, suggesting this is being used in targeted operations rather than broad scanning.

Impact

An attacker exploiting CVE-2026-32202 can perform network spoofing attacks, potentially convincing users to:

• Open malicious files from a spoofed share
• Connect to attacker-controlled devices impersonating trusted resources
• Supply credentials to a fake authentication prompt

This is a classic user-in-the-middle vector, often combined with social engineering lures. The Russian CTRL Toolkit Hijacks RDP via Malicious LNK campaign demonstrates how similar spoofing techniques are used in real-world attacks.

Affected Products and Versions

The vulnerability affects:

• Windows 10 (all versions)
• Windows 11 (all versions)
• Windows Server 2019, 2022, and 2025

All platforms are patched as part of the May 2026 Microsoft security update (KB5079391). This same update also enhances Smart App Control.

Remediation and Mitigation

Immediate action: Apply the May 2026 Patch Tuesday update on all Windows systems. If patching cannot happen immediately, implement the following mitigations:

1. Restrict inbound SMB connections from untrusted networks at the firewall
2. Educate users to verify network resource origins before interacting
3. Monitor for unusual outbound connections originating from explorer.exe

Organizations should also watch for Storm-2561 activity as threat actors increasingly use spoofing lures to deliver malware.

Security Insight

CVE-2026-32202 follows a pattern seen in several recent Microsoft patches: spoofing or bypass vulnerabilities in core UI components that require user interaction but have alarmingly low attack complexity. Attackers are moving away from memory corruption bugs toward logic flaws in how Windows presents trust decisions to users. While the CVSS score is medium, the active exploitation confirms that threat actors are willing to invest in social engineering chains that exploit these weaknesses.

Further Reading

• Russian CTRL Toolkit Hijacks RDP via Malicious LNK
• Windows 11 KB5079391 update rolls out Smart App Control
• Storm-2561 Spreads Trojan VPN Clients via SEO Poisoning
• All Medium Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs