Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

What happened

Microsoft has revised its advisory for CVE-2026-32202, a Windows Shell spoofing vulnerability patched in April’s Patch Tuesday update, to confirm active exploitation in the wild after initially publishing incorrect exploitability metadata on April 14. The correction was made on April 27.

The vulnerability carries a CVSS score of 4.3 and allows an unauthorized attacker to access sensitive information over a network by sending a victim a malicious file that the victim executes. Microsoft noted that while the flaw affects confidentiality, attackers cannot modify disclosed information or affect availability.

Akamai researcher Maor Dahan, credited with discovering the bug, disclosed that CVE-2026-32202 stems from an incomplete patch for CVE-2026-21510, a higher-severity Windows Shell protection mechanism failure that Microsoft fixed in February 2026. That February patch addressed the remote code execution component by triggering a SmartScreen check on CPL file signatures and origin zones, but left an authentication coercion gap. When Windows resolves a UNC path embedded in a malicious LNK file, it automatically initiates an SMB connection to the attacker’s server, triggering an NTLM authentication handshake that sends the victim’s Net-NTLMv2 hash to the attacker without requiring any user interaction beyond opening the shortcut file. That hash can then be used in NTLM relay attacks or cracked offline.

CVE-2026-21510 was weaponized by APT28, the Russian military intelligence-linked group also known as Fancy Bear and Forest Blizzard, in a campaign targeting Ukraine and EU nations in December 2025. The group chained it with CVE-2026-21513, an MSHTML Framework bypass also patched in February, using malicious Windows Shortcut files to bypass Microsoft Defender SmartScreen and execute attacker-controlled code. Akamai had also linked CVE-2026-21513 to APT28 activity following discovery of a malicious artifact from January 2026.

Who is affected

Organizations running Windows systems that have not applied the April 2026 Patch Tuesday update are directly exposed to CVE-2026-32202. The broader exploit chain involving CVE-2026-21510 and CVE-2026-21513 targeted Ukrainian and EU government and organizational networks, but the zero-click credential theft vector created by the incomplete February patch has implications for any environment where LNK files can reach user systems.

Why CISOs should care

A CVSS score of 4.3 understates the operational risk here. The residual vulnerability left by the incomplete February patch is a zero-click credential theft vector: a user does not need to execute the malicious file, only open the shortcut, to trigger an automatic NTLM handshake that delivers their Net-NTLMv2 hash to an attacker. That hash enables NTLM relay attacks and offline cracking, providing a path to lateral movement and privilege escalation that goes well beyond what the confidentiality-only CVSS rating suggests.

The incomplete patch pattern is also worth noting for security teams that treat a CVE’s closure as a clean resolution. CVE-2026-21510 was fixed in February. The fix introduced a residual gap that APT28 could still exploit, and that gap is now confirmed as actively exploited under a new CVE number.

3 practical actions

1. Apply the April 2026 Patch Tuesday update immediately if not already deployed: CVE-2026-32202 was addressed in this month’s update. Organizations that have not yet applied it remain exposed to a confirmed actively exploited zero-click credential theft vector.
2. Audit NTLM usage and implement relay attack mitigations: The exploit chain relies on automatic NTLM authentication triggered by UNC path resolution. Review whether NTLM can be disabled or restricted in your environment, enable SMB signing to mitigate relay attacks, and consider blocking outbound SMB connections at the network perimeter to prevent hash exfiltration to external servers.
3. Hunt for APT28 indicators related to the December 2025 LNK campaign: Akamai has published technical details on the exploit chain used by APT28 in the December campaign. Security teams in EU and Ukraine-adjacent environments in particular should hunt for malicious LNK files, unexpected SMB connections to external hosts, and CPL file execution outside of approved software.