Attackers are currently taking advantage of CVE-2026-32202, a zero-click vulnerability in Windows Shell that allows their servers to authenticate victims’ systems without any user interaction, as highlighted by warnings from CISA and Microsoft.
About CVE-2026-32202
This vulnerability arises from an incomplete patch for CVE-2026-21510, which, when paired with CVE-2026-21513, has been exploited by the notorious APT28 group, also known as Fancy Bear. They have utilized weaponized LNK files to circumvent Windows security measures. Although Microsoft addressed these two vulnerabilities in February 2026, effectively preventing the initial remote code execution and SmartScreen bypass, the fix did not entirely eliminate the risk. Victims’ machines can still connect to the attacker’s server simply by opening the folder containing the malicious LNK file, as Windows Explorer attempts to render its contents and fetch an icon for the shortcut.
As explained by Dahan, this interaction initiates a Server Message Block (SMB) connection, triggering an automatic NTLM authentication handshake. Consequently, the victim’s Net-NTLMv2 hash is sent to the attacker, who can then exploit it for NTLM relay attacks or offline cracking. This vulnerability impacts a variety of supported versions of Windows 10, 11, and Windows Server.
Incomplete fixes, incomplete picture
The recent findings from Akamai underscore a significant risk: the gap between issuing a patch and achieving genuine protection for systems. This risk is exacerbated when vendors do not label a vulnerability as actively exploited during the patching process. In this instance, Microsoft released a fix for CVE-2026-32202 on April 14, 2026, but did not mark it as exploited, leaving security teams without a clear signal to prioritize it. It wasn’t until more than two weeks later that CISA and Microsoft confirmed the active exploitation of the vulnerability.
Organizations are strongly advised to apply Microsoft’s April 14 patch if they have not done so already. Additionally, where possible, blocking outbound SMB traffic at the network perimeter can help mitigate exposure to NTLM coercion attacks.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!
