# CVE-2026-32157

> CVE-2026-32157 is a critical remote code execution vulnerability in Microsoft Active Directory Domain Services, disclosed as part of the April 2026 Patch Tuesday addressing 167 vulnerabilities. An authenticated attacker with low privileges can write arbitrary LDAP attributes leading to domain controller code execution (CVSS 9.0). This vulnerability is part of a massive patch release that includes two zero-days (CVE-2026-32201 SharePoint spoofing actively exploited, CVE-2026-33825 Defender EoP publicly disclosed), a wormable Windows TCP/IP IPv6 RCE (CVE-2026-23666, CVSS 9.8), and six additional

- **CVSS:** 9 (CRITICAL)
- **EPSS:** 0.1%
- **CWE:** CWE-20

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-32157
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp