A critical zero-click authentication coercion vulnerability, tracked as CVE-2026-32202, stemming from an incomplete patch for a Windows Shell security feature bypass actively weaponized by the Russian APT28 threat group.
Microsoft confirmed active exploitation of the flaw and released a fix as part of its April 2026 Patch Tuesday update.
According to CERT-UA, the APT28 threat actor, also known as Fancy Bear, Forest Blizzard, and Pawn Storm, launched a targeted cyberattack campaign against Ukraine and several EU countries in December 2025, leveraging a weaponized LNK (Windows Shortcut) file.
Akamai researchers detected the campaign in January 2026, tracing the infection vector to two chained vulnerabilities: CVE-2026-21513 (an MSHTML exploit) and CVE-2026-21510 (a Windows Shell SmartScreen bypass with a CVSS score of 8.8).
Windows Shell 0-Click Vulnerability Exploited
The attack’s primary mechanism abuses the Windows Shell namespace parsing pipeline. APT28 embedded a malicious LinkTargetIDList structure inside the LNK file, a binary IDList that Windows Explorer parses and renders, similar to how Control Panel items are displayed.
The IDList contained three key components: a CLSID representing the Control Panel COM object, a second entry for “all control panel items,” and a third _IDCONTROLW structure embedding a UNC path pointing to the attacker’s remote server.
When the victim’s explorer.exe parsed this LNK file, it resolved the malicious path as:
text::{26EE0668-A00A-44D7-9371-BEB064C98683}�{GENERATED GUID OF THE UNC PATH}This caused Windows to load a DLL from the attacker-controlled server treated as a Control Panel (CPL) component without triggering SmartScreen or Mark of the Web (MotW) verification.
Microsoft addressed CVE-2026-21510 during its February 2026 Patch Tuesday, introducing a new COM object called ControlPanelLinkSite that bridges the CPL launch path with ShellExecute’s trust verification pipeline.
The patch introduced a new fMask bit (0x08000000) that forces the ShellExecute pipeline to query IVerifyingTrust, ultimately triggering SmartScreen verification of the CPL file’s digital signature and origin zone before execution.
Using its PatchDiff-AI analysis tool, Akamai confirmed that the fix successfully blocked the RCE vector — unsigned or remote CPLs were no longer silently executed.
However, Akamai researchers noticed something critical: the victim machine was still authenticating to the attacker’s server even after the patch was applied.
The trust verification introduced by Microsoft fires during the ShellExecuteExW call at the very end of the CPL launch chain. But a far earlier trigger exists in CControlPanelFolder::GetUIObjectOf — the function Windows Explorer calls to extract an icon for the CPL IDList item when rendering a folder’s contents.
Deep inside this chain, a PathFileExistsW call in GetModuleMapped causes Windows to resolve the UNC path and initiate an SMB connection to the attacker’s server the moment a folder containing the malicious LNK file is opened — with no user click required.
When the UNC path resolves (e.g., \attacker.comsharepayload.cpl), Windows automatically triggers an NTLM authentication handshake, transmitting the victim’s Net-NTLMv2 hash to the attacker’s server.
This credential can subsequently be used for NTLM relay attacks or offline password cracking all without any user interaction beyond navigating to the compromised folder.
This residual flaw was classified as CVE-2026-32202 (CVSS: 4.3), described officially as a “protection mechanism failure in Windows Shell” that allows an unauthorized attacker to perform spoofing over a network
Organizations should apply Microsoft’s April 2026 Patch Tuesday updates immediately to remediate CVE-2026-32202. Security teams should also monitor for outbound SMB traffic to external hosts and enforce NTLMv2 restrictions or transition to Kerberos-only authentication where possible.
Given that Microsoft has flagged this vulnerability as actively exploited in the wild, defenders should treat unpatched systems as high-priority exposure, particularly in environments where LNK files traverse shared folders or network drives.
This incident serves as a sharp reminder that incomplete patches can introduce secondary attack surfaces.
The gap between path resolution and trust verification in the Windows Shell pipeline, exploited first by APT28 and later uncovered by Akamai, underscores the necessity of thorough patch diffing and post-fix regression testing before marking a vulnerability as fully remediated.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
