Microsoft Confirms Active Exploitation of Windows Shell Vulnerability CVE-2026-32202
Microsoft has recently updated its advisory concerning a significant security flaw in Windows Shell, identified as CVE-2026-32202, acknowledging its active exploitation in real-world scenarios. This vulnerability, with a CVSS score of 4.3, is classified as a spoofing issue that could potentially allow unauthorized access to sensitive information. The flaw was initially addressed in the April 2026 Patch Tuesday update.
According to Microsoft’s alert, the vulnerability arises from a failure in the protection mechanisms within Windows Shell, enabling an attacker to perform spoofing over a network. Exploitation requires the attacker to send a malicious file to the victim, who must then execute it. Successful exploitation could grant the attacker access to certain sensitive information. However, the attacker would not be able to modify the disclosed information or restrict access to the resource.
On April 27, 2026, Microsoft corrected the Exploitability Index, Exploited flag, and CVSS vector for this vulnerability, noting that the initial publication on April 14 contained inaccuracies. While specific details about the exploitation activities have not been disclosed, Akamai security researcher Maor Dahan, who discovered and reported the bug, indicated that this zero-click vulnerability stems from an incomplete patch for CVE-2026-21510.
CVE-2026-21510, along with CVE-2026-21513, has been exploited by the Russian state-sponsored group APT28 (also known as Fancy Bear, Forest Blizzard, GruesomeLarch, and Pawn Storm) as part of an exploit chain. CVE-2026-21510 is a protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network. CVE-2026-21513 is a similar flaw in the MSHTML Framework. Both vulnerabilities were addressed by Microsoft in February 2026.
The exploitation campaign, targeting Ukraine and European Union nations in December 2025, utilized malicious Windows Shortcut (LNK) files to exploit these vulnerabilities. This method effectively bypassed Microsoft Defender SmartScreen, allowing attacker-controlled code to be executed. APT28 leveraged the Windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a remote server using a Universal Naming Convention (UNC) path. The DLL was loaded as part of the Control Panel (CPL) objects without proper network zone validation.
Akamai noted that while the February 2026 patch mitigated the remote code execution risk by triggering a SmartScreen check of the CPL file’s digital signature and origin zone, it still permitted the victim’s machine to authenticate to the attacker’s server. This was achieved by resolving the UNC path and initiating an SMB connection without requiring user interaction. Consequently, the SMB connection triggered an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker. This hash could then be used for NTLM relay attacks and offline cracking.
In summary, while Microsoft has addressed the initial remote code execution vulnerability (CVE-2026-21510), an authentication coercion flaw (CVE-2026-32202) remained. This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files.
