Microsoft's Incomplete Patch for Russian-Exploited Zero-Day Leads to New Windows Flaw Under Active Attack
Microsoft and CISA warn that CVE-2026-32202, a zero-click authentication coercion flaw in Windows Shell stemming from an incomplete fix for a Russian-APT28-exploited bug, is being actively exploited.
Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) have warned that attackers are actively exploiting a zero-click Windows vulnerability, tracked as CVE-2026-32202, which can expose sensitive information on vulnerable systems. The flaw, disclosed on April 14 and marked as 'exploitation detected' on April 27, stems from an incomplete patch for an earlier zero-day, CVE-2026-21510, that was exploited by Russia's APT28 (Fancy Bear) group against Ukrainian and EU targets in January.
The new vulnerability is an authentication coercion flaw in Windows Shell that allows an attacker to leak Net-NTLMv2 hashes via network spoofing. According to Akamai senior security researcher Maor Dahan, who discovered and reported the bug, Microsoft's February patch for CVE-2026-21510 successfully prevented the initial remote code execution and SmartScreen bypass but left behind a zero-click credential theft vector. 'While testing the patch, we noticed something interesting: The victim machine was still authenticating to the attacker's server,' Dahan wrote.
CISA added CVE-2026-32202 to its Known Exploited Vulnerabilities (KEV) catalog on April 28, giving federal agencies a May 12 deadline to apply the fix. The agency did not attribute the current exploitation to a specific threat actor, but given the flaw's origin in a Russian-APT28 target, experts suspect state-sponsored groups may be involved. Microsoft has not disclosed the scope of attacks or the identity of the attackers.
The vulnerability chain began with CVE-2026-21510, a Windows Shell flaw that APT28 exploited in January via phishing emails containing weaponized LNK files. The attackers chained it with CVE-2026-21513 to bypass Microsoft Defender SmartScreen and execute remote code. Microsoft patched both in February, but the fix inadvertently left the authentication coercion vector open. 'This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files,' Dahan explained.
Organizations are urged to apply the April 14 security update immediately, as exploitation is already underway. The flaw requires no user interaction and can be triggered by simply viewing a malicious file in Windows Explorer. Akamai's research highlights the risks of incomplete patches, especially for vulnerabilities previously exploited by advanced persistent threat groups. Microsoft has not yet confirmed whether the current attacks are linked to APT28 or other actors.
This incident underscores the challenge of fully remediating complex vulnerabilities, particularly those involving authentication and network protocols. Security teams should prioritize patching CVE-2026-32202 and monitor for signs of Net-NTLMv2 hash leakage or unusual authentication attempts. The KEV inclusion mandates rapid action for federal agencies, but all Windows users are advised to treat this as a critical update.