Microsoft confirms a Windows Shell flaw that lets attackers spoof anything in File Explorer is being exploited - patch now (CVE-2026-32202)

Microsoft confirmed yesterday that a Windows Shell spoofing flaw, CVE-2026-32202, is being exploited in the wild. The bug lets an attacker craft files that appear in File Explorer with fake names, icons, and paths - so a malicious .exe can show up looking like a benign PDF, leading users to double-click and run it. Microsoft patched the bug in the April 14 Patch Tuesday but only confirmed in-the-wild exploitation on April 28, raising urgency for any environment that hasn't deployed April patches. The flaw is particularly dangerous on shared file servers, USB drops, and email attachments - any path where users trust File Explorer to tell them what's what.

Check

Confirm every Windows endpoint has the April 14 Patch Tuesday update installed, especially any host that opens shared drives, USB drives, or email attachments.

Affected

Windows endpoints without the April 14, 2026 patch installed. CVE-2026-32202 affects all currently supported Windows versions including Windows 10, 11, and Server. Acute risk on hosts that handle external files: receptionists, finance staff opening invoices, IT staff handling user-submitted USB drives, anyone receiving email attachments from outside the organization.

Fix

Deploy the April 14 Patch Tuesday update via your usual patching process, prioritizing user endpoints over servers. Verify deployment with MDM rather than trusting WSUS compliance numbers. Enable 'show file extensions' as a Group Policy default. Re-train staff on file-trust basics this month. Watch for unusual process spawns from explorer.exe.