Incomplete Windows Patch Opens Door to Zero-Click Attacks

Summary

An incomplete Microsoft patch for CVE-2026-21510 left a critical authentication coercion vulnerability (CVE-2026-32202) that allows zero-click credential theft via LNK files. Russia-linked APT28 exploited a chain of flaws (CVE-2026-21510, CVE-2026-21513, CVE-2026-32202) in December 2025 to bypass Windows security features and achieve RCE against targets in Ukraine and EU countries. Microsoft patched CVE-2026-32202 in April 2026, but the incident highlights risks of incomplete security fixes.

Full text

Incomplete patch for a Windows SmartScreen and Windows Shell security prompts bypass created a new bug enabling zero-click attacks, Akamai reports. The initial vulnerability, tracked as CVE-2026-21510 and patched in February, could be exploited for remote code execution (RCE) if the attacker could convince the victim to open a malicious shortcut file. Microsoft warned at the time that the flaw had been exploited as a zero-day, without providing details on the observed attacks. Now, Akamai says Russia-linked APT28, also known as Fancy Bear, Forest Blizzard, GruesomeLarch, and Sofacy, exploited CVE-2026-21510 in attacks that also targeted CVE-2026-21513, a security feature bypass in the MSHTML framework patched in February as well. “An attacker could exploit this vulnerability by convincing a user to open a malicious HTML file or shortcut (.lnk) file delivered through a link, email attachment, or download. The specially crafted file manipulates browser and Windows Shell handling, causing the content to be executed by the operating system,” Microsoft explains in its advisory. Akamai attributed CVE-2026-21513’s exploitation to APT28 in late February, but did not mention CVE-2026-21510, because it had previously discovered the incomplete patch.Advertisement. Scroll to continue reading. The lack of proper patching, it says, resulted in a new vulnerability, tracked as CVE-2026-32202, an authentication coercion vulnerability that can be exploited without user interaction to steal credentials via auto-parsed LNK files. “We then found an incomplete patch and disclosed it to Microsoft. The new vulnerability, CVE-2026-32202, caused the victim to authenticate the attacker’s server without user interaction (zero click),” Akamai says. Microsoft released fixes for CVE-2026-32202 as part of the April 2026 patches. Its advisory flags the security defect as exploited, but does not detail the observed attacks. According to Akamai, these vulnerabilities were likely exploited by APT28 in December 2025, in attacks against Ukraine and European Union countries. As part of the campaign, the APT used weaponized LNK files that chained CVE-2026-21513 and CVE-2026-21510 to bypass Windows’ security features and achieve remote code execution (RCE). “APT28 leverages the Windows shell namespace parsing mechanism to load a dynamic link library (DLL) from a remote server using a UNC path. The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation,” Akamai explains. Analysis of the patches rolled out in February revealed that, while the RCE path was mitigated by enforcing SmartScreen verification of the file’s digital signature and origin zone, “the victim machine was still authenticating to the attacker’s server.” The issue, Akamai says, is that the trust verification would fire during a call at the end of the launch chain, missing an earlier stage in the chain. When rendering the contents of the folder containing the malicious LNK file, Windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server without user interaction. The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes. Related: Russia’s APT28 Targeting Energy Research, Defense Collaboration Entities Related: Organizations Warned of Exploited Windows, Adobe Acrobat Vulnerabilities Related: Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief Says Related: Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsUS Federal Agency’s Cisco Firewall Infected With ‘Firestarter’ BackdoorBitwarden NPM Package Hit in Supply Chain AttackCloudsmith Raises $72 Million in Series C FundingRilian Raises $17.5 Million for AI-Native Security OrchestrationLuxury Cosmetics Giant Rituals Discloses Data BreachApple Patches iOS Flaw Allowing Recovery of Deleted ChatsRecent Microsoft Defender Vulnerability Exploited as Zero-Day Latest News OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsMalicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: GoogleEnergy and Water Management Firm Itron HackedUNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ MalwareEasily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessUS Launches Sweeping Crackdown on Southeast Asia Cyberscams and Sanctions Cambodian SenatorFirefox Vulnerability Allows Tor User FingerprintingChina-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveNeill Feather has been named Chief Executive Officer at Point Wild.Oasis Security has appointed Michael DeCesare as President.Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.More People On The MoveExpert Insights Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-21510
• cve — CVE-2026-21513
• cve — CVE-2026-32202

Entities