Akamai found that an incomplete patch for Windows SmartScreen and Windows Shell prompts created a new vulnerability chain enabling zero-click attacks and remote code execution via malicious LNK and HTML files. The Russia-linked APT28 exploited the chain (CVE-2026-21513 and CVE-2026-21510), leading to an authentication coercion flaw tracked as CVE-2026-32202 that Microsoft fixed in April 2026 after disclosure. #APT28 #CVE-2026-32202
Keypoints
- An incomplete February patch for SmartScreen and Shell prompts left an exploitable chain that enabled zero-click attacks.
- APT28 weaponized LNK and HTML files to chain CVE-2026-21513 and CVE-2026-21510 to achieve remote code execution.
- Windows Explorer fetching icons from UNC paths triggered SMB connections that caused automatic NTLM authentication and Net-NTLMv2 hash leakage.
- Akamai discovered the incomplete patch, disclosed CVE-2026-32202, and Microsoft released fixes in April 2026 while acknowledging exploitation.
- The campaign targeted Ukraine and EU organizations in December 2025, loading remote DLLs via CPL objects without proper network zone validation.
Read More: https://www.securityweek.com/incomplete-windows-patch-opens-door-to-zero-click-attacks/