Cyber Posture

CVE-2026-32225

High

Published: 14 April 2026

Published
14 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0008 24.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32225 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Mark-of-the-Web Bypass (T1553.005); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Mark-of-the-Web Bypass (T1553.005). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires identification, reporting, and correction of flaws such as the Windows Shell protection mechanism failure via timely patching as advised in the MSRC guidance.

SI-5 Security Alerts, Advisories, and Directives partial match
prevent

Ensures organizations receive and act on security advisories like the MSRC update for CVE-2026-32225 to enable rapid flaw remediation and mitigation deployment.

SC-7 Boundary Protection partial match
prevent

Monitors and controls communications at system boundaries to block unauthorized network access required for exploiting the Windows Shell vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1553.005 Mark-of-the-Web Bypass Defense Impairment
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls.
attack.mitre.org →
Why these techniques?

Protection mechanism failure in Windows Shell directly enables Mark-of-the-Web bypass (sub-technique of Subvert Trust Controls) via network vector with user interaction, matching CWE-693 and described security feature bypass.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.

Deeper analysisAI

CVE-2026-32225 is a protection mechanism failure vulnerability in the Windows Shell, published on 2026-04-14. It enables an unauthorized attacker to bypass a security feature over a network and is associated with CWE-693. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impacts.

The attack requires no privileges from the attacker (PR:N) and can be conducted over the network (AV:N) with low complexity (AC:L), though it necessitates user interaction (UI:R). Successful exploitation allows the attacker to bypass the protection mechanism, resulting in high confidentiality, integrity, and availability impacts on the affected system.

Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32225.

Details

CWE(s)
CWE-693

Affected Products

microsoft
windows 10 1607
≤ 10.0.14393.9060 · ≤ 10.0.14393.9060
microsoft
windows 10 1809
≤ 10.0.17763.8644 · ≤ 10.0.17763.8644
microsoft
windows 10 21h2
≤ 10.0.19044.7184 · ≤ 10.0.19044.7184 · ≤ 10.0.19044.7184
microsoft
windows 10 22h2
≤ 10.0.19045.7184 · ≤ 10.0.19045.7184 · ≤ 10.0.19045.7184
microsoft
windows 11 23h2
≤ 10.0.22631.6936 · ≤ 10.0.22631.6936
microsoft
windows 11 24h2
≤ 10.0.26100.8246 · ≤ 10.0.26100.8246
microsoft
windows 11 25h2
≤ 10.0.26200.8246 · ≤ 10.0.26200.8246
microsoft
windows 11 26h1
≤ 10.0.28000.1836 · ≤ 10.0.28000.1836
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.9060
+4 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-49740Same product: Microsoft Windows 10 1607
CVE-2025-24061Same product: Microsoft Windows 10 1607
CVE-2026-32202Same product: Microsoft Windows 10 1607
CVE-2026-21510Same product: Microsoft Windows 10 1607
CVE-2026-21513Same product: Microsoft Windows 10 1607
CVE-2026-27916Same product: Microsoft Windows 10 1607
CVE-2026-32077Same product: Microsoft Windows 10 1607
CVE-2026-26168Same product: Microsoft Windows 10 1607
CVE-2026-24294Same product: Microsoft Windows 10 1607
CVE-2026-27914Same product: Microsoft Windows 10 1607

References