Attackers are exploiting CVE-2026-32202, a zero-click Windows Shell spoofing vulnerability that causes victims’ systems to authenticate with the attacker’s server and expose Net-NTLMv2 hashes. The flaw arose from an incomplete patch for earlier LNK-based exploits used by APT28, and Microsoft and CISA confirmed active exploitation after an initial patch was issued without an exploitation warning. #CVE-2026-32202 #APT28
Keypoints
- CVE-2026-32202 lets Windows Explorer initiate SMB connections that trigger automatic NTLM authentication when rendering malicious LNK icons.
- The vulnerability resulted from an incomplete fix for CVE-2026-21510 and is related to CVE-2026-21513 exploited by APT28.
- Victim Net-NTLMv2 hashes can be captured for NTLM relay attacks or offline cracking without any user interaction.
- Microsoft released a patch on April 14, 2026, but did not initially mark the issue as actively exploited; CISA and Microsoft confirmed exploitation later.
- Organizations should apply the April 14 patch and, where feasible, block outbound SMB at the network perimeter to reduce exposure.
Read More: https://www.helpnetsecurity.com/2026/04/29/windows-cve-2026-32202-exploited/