Windows Shell Zero‑Click Vulnerability CVE‑2026‑32202

-


In April 2026, Microsoft confirmed active exploitation of a zero‑click Windows Shell vulnerability tracked as CVE‑2026‑32202. The flaw allows attackers to silently steal NTLM credentials when a user merely views a folder containing a malicious shortcut—no opening, clicking, or execution required. The issue stems from an incomplete February patch and has been abused in the wild, prompting CISA to add it to the Known Exploited Vulnerabilities (KEV) catalog with a federal patch deadline of May 12, 2026.

What makes this “zero‑click”?

Unlike typical phishing or malware attacks that require user interaction, this flaw triggers when Windows Explorer renders a directory. Explorer automatically parses shortcut metadata (e.g., to fetch icons). A crafted .lnk file can embed a UNC path (e.g., \\attacker\share\file) that causes Windows to auto‑initiate an SMB connection to an attacker‑controlled server—without any user action—leaking the victim’s Net‑NTLMv2 hash.

Root cause and patch lineage

  • February 2026: Microsoft patches CVE‑2026‑21510 (Windows Shell namespace parsing; used with CVE‑2026‑21513 in attacks by Russia‑linked APT28). The fix blocks a remote code execution path but does not fully close an authentication‑coercion path.
  • Discovery: Akamai researchers find the incomplete fix leaves a zero‑click credential‑theft vector.
  • April 14, 2026: Microsoft ships a patch for CVE‑2026‑32202 (initially assessed as moderate severity).
  • April 27–29, 2026: Microsoft and CISA update advisories to confirm active exploitation; CVE added to KEV.

Impact

  • Credential theft: Steals NTLMv2 hashes, enabling NTLM relay, lateral movement, and potential domain compromise.
  • Stealth: No prompts or warnings; browsing a folder is enough.
  • Attribution: Observed in campaigns attributed to APT28 (Fancy Bear) targeting Ukraine and EU organizations.
  • Severity caveat: Although CVSS is 4.3 (Medium), real‑world risk is high due to zero‑click exploitation and credential exposure.

Affected systems

  • Windows clients/servers that have not applied the April 2026 update addressing CVE‑2026‑32202.

Detection clues

  • Unexpected outbound SMB (TCP 445/139) connections from Explorer activity
  • NTLM authentication attempts to unknown external hosts
  • Presence of unusual .lnk files in shared folders or email‑delivered archives

Mitigation and remediation (do this now)

  1. Apply Microsoft’s April 2026 patches that fix CVE‑2026‑32202.
  2. Block outbound SMB (TCP 445/139) at the network edge where feasible to prevent credential leakage.
  3. Restrict NTLM (prefer Kerberos; enforce NTLM blocking/logging per best practice).
  4. Harden Explorer behaviors and monitor for LNK abuse in shared paths and inboxes.
  5. Prioritize patching for internet‑exposed endpoints, admins’ workstations, and systems handling sensitive data—per CISA KEV guidance.

Bottom line

CVE‑2026‑32202 is a rare, real‑world zero‑click Windows credential‑theft bug. Even though it carries a modest CVSS score, its silent exploitation and lateral‑movement potential make it urgent. Patch immediately and reduce NTLM/SMB exposure.
If you want, I can:
  • Check which Windows builds are patched in your environment
  • Provide Group Policy hardening steps for NTLM/SMB
  • Map detections to Microsoft Defender / SIEM queries

Popular posts from this blog

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more

CVE-2025-58034 Fortinet Warnings and Mitigation

-
Image
Type: OS Command Injection vulnerability (CWE-78) Affected Product: Fortinet FortiWeb (Web Application Firewall) Affected Versions: 8.0.0 – 8.0.1 7.6.0 – 7.6.5 7.4.0 – 7.4.10 7.2.0 – 7.2.11 7.0.0 – 7.0.11 [nvd.nist.gov] , [cvedetails.com] Description The vulnerability is caused by improper neutralization of special elements used in OS commands . An authenticated attacker can exploit this flaw by sending crafted HTTP requests or CLI commands , allowing them to execute arbitrary code on the underlying system. This can compromise the integrity, confidentiality, and availability of the device. [nvd.nist.gov] , [cvedetails.com] Severity CVSS v3.1 Base Score: 7.2 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Impact: High on Confidentiality, Integrity, and Availability [cvedetails.com] Exploitation Status Actively Exploited: Yes. Fortinet confirmed expl...
Read more