CVE-2026-32202 is a Windows Shell spoofing vulnerability that allows an unauthenticated remote attacker to coerce NTLM authentication from any Windows user who opens a folder containing a malicious LNK file — no further interaction required. Microsoft patched the flaw on April 14, 2026, but incorrectly omitted the “Exploited” flag from the advisory; CISA and Microsoft corrected that omission on April 27 and added the CVE to the Known Exploited Vulnerabilities catalog. Active exploitation has been attributed to APT28 (also tracked as Fancy Bear and Forest Blizzard) in campaigns targeting Ukraine and European Union nations beginning in December 2025.
CVE-2026-32202: What We Know So Far
CVE-2026-32202 is a protection mechanism failure in Windows Shell rooted in an incomplete fix for a related flaw, CVE-2026-21510. The earlier patch mitigated remote code execution risk but left the underlying authentication coercion pathway open.
How the attack works:
When a user opens a folder in Windows Explorer — no double-click required, simply navigating to a directory — Explorer renders folder contents and fetches icons for any shortcuts (.lnk files) it finds. A crafted LNK file can embed a UNC path pointing to an attacker-controlled SMB server. Windows Shell resolves the path without validating the network zone, initiating an automatic SMB connection. That connection triggers an NTLM authentication handshake, and the victim’s Net-NTLMv2 hash is transmitted to the attacker’s server.
The captured hash can then be used in two distinct ways:
- NTLM relay attacks — relay the hash in real time to authenticate against other services in the environment (Active Directory, SharePoint, internal web apps) before the hash changes.
- Offline cracking — attempt to crack the Net-NTLMv2 hash to recover the plaintext password, which can then be used for credential stuffing or lateral movement.
Patch timeline:
| Date | Event |
|---|---|
| December 2025 | APT28 exploits CVE-2026-32202 in attacks on Ukraine and EU targets |
| February 2026 | Microsoft patches predecessor CVE-2026-21510, leaving coercion pathway open |
| April 14, 2026 | April Patch Tuesday ships fix for CVE-2026-32202 — advisory incorrectly omits “Exploited” flag, CVSS vector listed as 4.3 |
| April 27, 2026 | Microsoft corrects advisory: exploitability index updated, “Exploited” flag added, CVSS vector revised |
| April 29, 2026 | CISA adds CVE-2026-32202 to KEV; CISA and Microsoft issue joint exploitation warning |
Affected systems: Windows 10, Windows 11, and Windows Server (multiple versions). Microsoft’s advisory lists specific affected build numbers — check the Microsoft Security Update Guide for your exact versions.
The official CVSS base score is 4.3, but that rating significantly understates real-world risk. The zero-click exploitation vector, APT28 attribution, and NTLM relay potential make this a critical-priority patch regardless of the score. CISA’s KEV listing requires federal civilian agencies to remediate by the catalog deadline; all other organizations should treat this as an emergency patch.
Why CVE-2026-32202 Matters
APT28 attribution is the critical context. Forest Blizzard (the Microsoft name for APT28) is the Russian GRU unit responsible for the Fancy Bear campaigns, including the 2016 DNC breach and a string of NATO-aligned government intrusions. Their use of this flaw in December 2025 — nearly five months before public disclosure — indicates a sustained exploitation window during which unpatched organizations had no formal signal to act.
The “silent patch” problem amplifies exposure. Microsoft’s April 14 advisory listed CVE-2026-32202 without the exploitation flag. Security teams that triage patches by exploitability status may have deprioritized or delayed this one. Two weeks of additional exposure elapsed before the advisory was corrected on April 27.
NTLM credential relay is a force multiplier. In environments where SMB signing is not enforced, captured Net-NTLMv2 hashes can be relayed instantly to authenticate against domain controllers, file servers, and internal applications. A single compromised endpoint with a malicious LNK file on a shared drive can cascade into domain-wide access.
The LNK delivery vector is trivially deployable. Phishing emails, USB drops, malicious downloads, and poisoned network shares can all deliver the malicious LNK file. No macro execution, no browser exploit, no user prompt — only directory navigation.
CVE-2026-32202: What You Should Do Now
-
Apply the April 14, 2026 Patch Tuesday update immediately. Run
winget upgrade --allor deploy via WSUS/SCCM. Verify the specific KB article for your Windows version in the Microsoft Security Update Guide. Do not rely on CVSS score alone when triaging this patch. -
Block outbound SMB traffic (TCP 445) at the network perimeter. This prevents coerced NTLM hashes from reaching external attacker-controlled servers. Internal SMB signing policies address the internal relay path — block external egress first.
-
Enable SMB signing across your environment. Configure via Group Policy:
Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → Microsoft network client: Digitally sign communications (always) = Enabled. SMB signing prevents NTLM relay even if a hash is captured. -
Audit outbound SMB connections in firewall and endpoint logs. Look for connections on TCP 445 to external or unexpected internal IPs. Unexpected SMB connections from end-user workstations to non-server hosts are a strong indicator of NTLM coercion in progress.
-
Consider restricting outgoing NTLM in high-risk environments. Group Policy path:
Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers. Set to “Deny all” where Kerberos is available as a fallback.
Detection and Verification Checklist
- Verify patch status: Run
wmic qfe list | findstr KBor check Windows Update history for the April 2026 Cumulative Update for your OS version. - Check firewall rules: Confirm TCP 445 egress to non-RFC1918 addresses is blocked at the perimeter firewall. Test with
Test-NetConnection -ComputerName <external-IP> -Port 445from an internal host. - Review Windows event logs: Event ID 4624 (logon) and 4648 (explicit credential use) with NTLM authentication (logon type 3) from unexpected source IPs warrant investigation.
- Scan for .lnk files with UNC targets: PowerShell:
Get-ChildItem -Path \\share\path -Recurse -Filter *.lnk | ForEach-Object { (New-Object -COM WScript.Shell).CreateShortcut($_.FullName).TargetPath }— flag any results pointing to UNC paths outside your environment. - Validate with Microsoft’s advisory: Cross-reference your installed KB against the official CVE-2026-32202 entry before closing the finding.
- Next-source verification: Check CISA KEV for the current remediation deadline.
Sources: The Hacker News, Help Net Security, SecurityWeek
Thank you for reading this post, don't forget to subscribe!
Leave feedback about this