CISA Orders Emergency Patches for Windows Zero-Day Exploited by Russian APT28
What Happened
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Microsoft Windows Shell vulnerability (CVE-2026-32202) to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch immediately. The zero-day flaw enables network spoofing attacks and has been actively exploited by APT28 (Fancy Bear), a Russian military intelligence (GRU) cyberespionage group.
Alongside the Windows flaw, CISA also flagged CVE-2024-1708, a path traversal vulnerability in ConnectWise ScreenConnect, and highlighted eight additional actively exploited vulnerabilities — three of which impact Cisco Catalyst SD-WAN Manager. A separate critical vulnerability in Cisco Integrated Management Controller (CVE-2026-20093) allows unauthenticated administrative access.
Sources
Why It Matters
When CISA issues a KEV addition tied to APT28, it’s not a drill. This is a nation-state group with a long track record of targeting government agencies, defense contractors, and critical infrastructure. The Windows Shell flaw enabling network spoofing is particularly dangerous because it can be leveraged for lateral movement in environments where defenders assume internal network traffic is trustworthy.
The combination of this Windows zero-day with the Cisco SD-WAN and IMC vulnerabilities paints an ugly picture: attackers can potentially compromise network management infrastructure and endpoint systems simultaneously. Patch now, verify later.
