Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been actively exploited in the wild.
The vulnerability in question is CVE-2026-32202 (CVSS score: 4.3), a spoofing vulnerability that could allow an attacker to access sensitive information. It was addressed as part of its Patch Tuesday update for this month.
“Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network,” Microsoft noted in an alert. “An attacker would have to send the victim a malicious file that the victim would have to execute.”
“An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker. The attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability).”
On April 27, 2026, Microsoft said it rectified the “Exploitability Index, Exploited flag, and CVSS vector” as they were incorrect when they were published on April 14.
While the tech giant did not share any details about the exploitation activity, Akamai security researcher Maor Dahan, who is credited with discovering and reporting the bug, said the zero-click vulnerability stems from an incomplete patch for CVE-2026-21510.
The latter has been weaponized by a Russian nation-state group tracked as APT28 (aka Fancy Bear, Forest Blizzard, GruesomeLarch, and Pawn Storm) along with CVE-2026-21513 as part of an exploit chain –
- CVE-2026-21510 (CVSS score: 8.8) – A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network. (Fixed by Microsoft in February 2026)
- CVE-2026-21513 (CVSS score: 8.8) – A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network. (Fixed by Microsoft in February 2026)
It’s worth noting that the abuse of CVE-2026-21513 was also flagged by the web infrastructure and security company early last month, linking it to APT28 after unearthing a malicious artifact in January 2026.
 |
| CVE-2026-21510 Exploitation |
The campaign, targeting Ukraine and E.U. nations in December 2025, leverages a malicious Windows Shortcut (LNK) file to exploit the two vulnerabilities, effectively bypassing Microsoft Defender SmartScreen and enabling attacker-controlled code to be executed.
“APT28 leverages the Windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a remote server using a UNC path,” Dahan explained. “The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation.
Akamai said the February 2026 patch, while mitigating the remote code execution risk by triggering a SmartScreen check of the CPL file’s digital signature and origin zone, still allowed the victim machine to authenticate to the attacker’s server and automatically fetch the CPL file by resolving the Universal Naming Convention (UNC) path and initiating an SMB connection without requiring user interaction.
“When that path is a UNC path (like ‘\\attacker.com\share\payload.cpl’), Windows initiates an SMB connection to the attacker’s server,” Dahan said. “This server message block (SMB) connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking.”
“While Microsoft fixed the initial RCE (CVE-2026-21510), an authentication coercion flaw (CVE-2026-32202) remained. This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files.”
