Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

Summary

Microsoft acknowledged active in-the-wild exploitation of CVE-2026-32202, a high-severity Windows Shell spoofing vulnerability (CVSS 4.3) patched in April 2026. The flaw stems from an incomplete patch for CVE-2026-21510 and is being weaponized by Russian APT28 in a zero-click credential theft attack chain targeting Ukraine and EU nations since December 2025. The attack uses malicious LNK files to bypass Microsoft Defender SmartScreen and coerce NTLM authentication, enabling credential harvesting for relay attacks.

Full text

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Ravie LakshmananApr 28, 2026Vulnerability / Threat Intelligence Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been actively exploited in the wild. The vulnerability in question is CVE-2026-32202 (CVSS score: 4.3), a spoofing vulnerability that could allow an attacker to access sensitive information. It was addressed as part of its Patch Tuesday update for this month. "Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network," Microsoft noted in an alert. "An attacker would have to send the victim a malicious file that the victim would have to execute." "An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker. The attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability)." On April 27, 2026, Microsoft said it rectified the "Exploitability Index, Exploited flag, and CVSS vector" as they were incorrect when they were published on April 14. While the tech giant did not share any details about the exploitation activity, Akamai security researcher Maor Dahan, who is credited with discovering and reporting the bug, said the zero-click vulnerability stems from an incomplete patch for CVE-2026-21510. The latter has been weaponized by a Russian nation-state group tracked as APT28 (aka Fancy Bear, Forest Blizzard, GruesomeLarch, and Pawn Storm) along with CVE-2026-21513 as part of an exploit chain - CVE-2026-21510 (CVSS score: 8.8) - A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network. (Fixed by Microsoft in February 2026) CVE-2026-21513 (CVSS score: 8.8) - A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network. (Fixed by Microsoft in February 2026) It's worth noting that the abuse of CVE-2026-21513 was also flagged by the web infrastructure and security company early last month, linking it to APT28 after unearthing a malicious artifact in January 2026. CVE-2026-21510 Exploitation The campaign, targeting Ukraine and E.U. nations in December 2025, leverages a malicious Windows Shortcut (LNK) file to exploit the two vulnerabilities, effectively bypassing Microsoft Defender SmartScreen and enabling attacker-controlled code to be executed. "APT28 leverages the Windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a remote server using a UNC path," Dahan explained. "The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation. Akamai said the February 2026 patch, while mitigating the remote code execution risk by triggering a SmartScreen check of the CPL file's digital signature and origin zone, still allowed the victim machine to authenticate to the attacker's server and automatically fetch the CPL file by resolving the Universal Naming Convention (UNC) path and initiating an SMB connection without requiring user interaction. "When that path is a UNC path (like '\\attacker.com\share\payload.cpl'), Windows initiates an SMB connection to the attacker's server," Dahan said. "This server message block (SMB) connection triggers an automatic NTLM authentication handshake, sending the victim's Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking." "While Microsoft fixed the initial RCE (CVE-2026-21510), an authentication coercion flaw (CVE-2026-32202) remained. This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Credential Theft, cybersecurity, Microsoft, NTLM relay, patch Tuesday, Threat Intelligence, Vulnerability, Windows Trending News 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation The Hidden Security Risks of Shadow AI in Enterprises Your MTTD Looks Great. Your Post-Alert Gap Doesn't Popular Resources Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat How to Identify Risky Browser Extensions in Your Organization

Indicators of Compromise

• cve — CVE-2026-32202
• cve — CVE-2026-21510
• cve — CVE-2026-21513

Entities