New Vulnerability Discovered in Microsoft Windows
A recently uncovered issue within Microsoft Windows has brought to light the unintended consequences of an incomplete security patch. This oversight has inadvertently created a new vulnerability, enabling attackers to execute zero-click attacks without requiring any interaction from users.
The original security flaw, designated as CVE-2026-21510, was addressed in February and allowed for remote code execution when a user opened a malicious shortcut or HTML file. However, further investigation by researchers revealed that the patch was not fully effective, resulting in the emergence of a new vulnerability, CVE-2026-32202.
According to findings from Akamai, this newly identified flaw permits attackers to initiate automatic authentication requests from a victim’s system merely by processing specially crafted shortcut (.lnk) files. This alarming capability means that the attack can unfold without any user action, rendering it a zero-click exploit that can stealthily compromise credentials.
The vulnerabilities are interconnected with a broader attack chain that includes another flaw, CVE-2026-21513, found within Microsoft’s MSHTML framework. Cybercriminals have been observed leveraging these issues in tandem to circumvent Windows security measures and execute malicious code.
The campaign has been linked to APT28, a cyber espionage group with ties to Russia, which has reportedly exploited these vulnerabilities in attacks directed at Ukraine and various entities within the European Union as early as late 2025.
In response to this critical situation, Microsoft has rolled out a fix for the newly identified vulnerability as part of its April 2026 security updates. Nonetheless, this incident underscores a significant risk within the realm of cybersecurity—where incomplete patches can inadvertently create new attack surfaces, sometimes posing even greater threats than the original vulnerabilities.
