Attackers are exploiting CVE-2026-32202, a zero-click Windows Shell spoofing vulnerability that causes victims’ systems to authenticate the attacker’s server, CISA and Microsoft have warned.
About CVE-2026-32202
CVE-2026-32202 stems from an incomplete patch for CVE-2026-21510, a vulnerability that, in conjunction with CVE-2026-21513, has been exploited by APT28 (aka Fancy Bear) via weaponized LNK files that bypass Windows security features.
Microsoft fixed those two flaws in February 2026, successfully preventing the initial remote code execution and SmartScreen bypass.
But, according to Dahan, the fix did not prevent the victim machine from reaching out to the attacker’s server, even if the victim refrained from opening the malicious LNK (Windows shortcut) file.
The initiation of an SMB connection to the attacker’s server happens when the user opens the folder where the LNK file was downloaded (i.e., when Windows Explorer renders its contents and tries to fetch an icon for the shortcut).
“This server message block (SMB) connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Dahan explained.
CVE-2026-32202 affects a range of supported Windows 10, 11, and Windows Server versions.
Incomplete fixes, incomplete picture
Akamai’s discovery highlights the risky gap between a patch being issued and systems being genuinely protected.
That risk is compounded when vendors fail to flag a vulnerability as actively exploited at the time of patching, which is precisely what happened here: Microsoft pushed out a fix for CVE-2026-32202 on April 14, 2026, without marking it as exploited, meaning security teams had no formal signal to treat it with urgency.
CISA’s and Microsoft’s confirmation of active exploitation came more than two weeks later.
Organizations should apply Microsoft’s April 14 patch (if they haven’t already). Where feasible, blocking outbound SMB traffic at the network perimeter will also limit exposure to NTLM coercion attacks.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
