CVE-2026-32202: Which Endpoints in Your Fleet Still Lack the Patch?

CVE-2026-32202 is an actively exploited zero-click NTLM vulnerability. Learn how CapaOne identifies unpatched endpoints and reduces blast radius before the CISA deadline.

By Rikke Borup, CMO, CapaSystems · 22 May 2026

CVE-2026-32202: Which Endpoints in Your Fleet Still Lack the Patch?

CVE-2026-32202 is an actively exploited zero-click NTLM vulnerability targeted by APT28. The CISA Known Exploited Vulnerabilities deadline for this flaw expired May 12, 2026, making urgent private-sector action critical alongside federal agency requirements.

How the Vulnerability Works

The flaw enables attackers to capture NTLM credential hashes when users simply open folders containing malicious shortcut files. The system automatically sends Net-NTLMv2 hashes to attacker-controlled servers — no user interaction required.

Importantly, Microsoft’s February 2026 patch for the related vulnerability CVE-2026-21510 proved incomplete. CVE-2026-32202 represents a bypass of that fix, requiring the April corrective update to fully remediate the exposure.

Identifying Unpatched Endpoints with CapaOne

CapaOne’s Security Monitor continuously maps vulnerability exposure across all endpoints in your fleet. It identifies which devices still lack the April patch through a prioritized dashboard filterable by:

Severity
Device group
Site
Business unit

This eliminates the need for manual spreadsheet cross-referencing and gives IT teams an immediate, actionable view of their exposure.

Reducing the Blast Radius

Even when credentials are captured, Privilege Manager limits the damage by eliminating standing administrator rights. Elevation is:

Granted selectively and on demand
Time-limited
Fully logged for audit purposes

A compromised standard-user account is far less dangerous when it cannot escalate privileges silently.

Compliance Documentation

CapaOne generates exportable CSV evidence to support NIS2 Article 21 compliance requirements and cyber insurance questionnaires — with no additional manual extraction needed.

Ready to see how CapaOne handles this? Request a demo.

Written by

Rikke Borup

CMO, CapaSystems

Rikke is Chief Marketing Officer at CapaSystems, where she has led marketing and communications since 2009. With more than 17 years of experience in the IT sector — including cybersecurity, endpoint management software and IT services — she brings long-standing, practical insight into the challenges facing modern enterprise IT environments.

Trained as a journalist, Rikke specialises in translating complex technical concepts into clear, easy-to-understand communications for IT decision-makers.

Name	Provider	Purpose	Expiry
capaone-consent	capaone.com	Stores your cookie consent choice and category preferences	12 months
theme	capaone.com	Remembers your chosen colour scheme (light/dark)	Persistent

Name	Provider	Purpose	Expiry
Supademo (iframe)	app.supademo.com	Interactive product demo — iframe loaded on click only	Session
Google Maps (iframe)	google.com	Interactive map showing our office location	Session

Name	Provider	Purpose	Expiry
_ga	Google Analytics	Distinguishes users from one another using a unique ID for statistical analysis	2 years
_ga_KX617PNCT5	Google Analytics	Persists session state and aggregates statistics for this property	2 years
capa_insights_did	CapaOne Insights (EU)	Random anonymous identifier used to count returning visitors (first-party, no personal data)	Persistent (localStorage)
capa_insights_sid	CapaOne Insights (EU)	Groups page views into a single visit for journey analysis	Session (sessionStorage)

Name	Provider	Purpose	Expiry
hubspotutk	HubSpot (EU1)	Tracks visitors for lead management and web analytics	13 months
__hs_cookie_cat_pref	HubSpot (EU1)	Stores cookie consent preferences for HubSpot forms	6 months