Microsoft’s partial patching in February 2026 of a zero-day vulnerability abused by Russian state-sponsored threat group Fancy Bear created a new flaw that is now being exploited without user interaction, Akamai said.
The vulnerability is a zero-click coercion bug, indexed as CVE-2026-32202, and uses a .lnk shortcut file that causes the victim machine to authenticate involuntarily to the attacker’s server.
Microsoft has acknowledged the flaw is being exploited in its updated advisory, saying it is a Windows Shell spoofing vulnerability.
Akamai researcher Maor Dahan said the exploit was detected in January this year.
Microsoft originally patched the vulnerability, CVE-2026-21510, in its February round of security updates, but that fix was incomplete.
Dahan said the February patch handled the initial remote code execution (RCE) and Windows SmartScreen bypass, but as the operating system Explorer file manager renders the contents of a folder that contains the malicious .lnk file, a targeted computer will initiate a Server Message Block (SMB) protocol connection to an attacker’s server, without user interaction.
That connection then triggers an automatic authentication handshake that sends the victim machine’s NTLMv2 hash to the attacker; this can later be used for NTLM relay attacks and be cracked offline.
On top of applying Microsoft’s patch for CVE-2026-32202, administrators are also advised to block outgoing traffic on TCP ports 139 and 445 to prevent attacks.
