Microsoft on Monday revised its advisory for a currently patched high-severity security flaw affecting Windows Shell, acknowledging that the vulnerability is indeed being actively exploited.
The vulnerability in question is CVE-2026-32202 (CVSS score: 4.3), a spoofing vulnerability that could allow attackers to access sensitive information. This issue was addressed as part of this month’s Patch Tuesday update.
“Failures in the Windows Shell protection mechanisms could allow an unauthorized attacker to perform spoofing on your network,” Microsoft said in a warning. “The attacker sends a malicious file to the victim, and the victim must execute it.”
“An attacker who successfully exploits this vulnerability may view some sensitive information (sensitivity), but not all resources within the affected component will be exposed to the attacker. An attacker will not be able to modify the exposed information (integrity) or restrict access to the resources (availability).”
On April 27, 2026, Microsoft announced that the “Exploitability Index, Exploited Flags, and CVSS Vectors” were incorrect when published on April 14 and have been corrected.
The tech giant did not reveal details of the exploit activity, but Akamai security researcher Maor Dahan, who is credited with discovering and reporting the bug, said the zero-click vulnerability was due to an incomplete patch for CVE-2026-21510.
The latter was weaponized by a Russian nation-state group tracked as APT28 (also known as Fancy Bear, Forest Blizzard, GruesomeLarch, and Pawn Storm) along with CVE-2026-21513 as part of an exploit chain.
CVE-2026-21510 (CVSS Score: 8.8) – Failure in the Windows Shell protection mechanism allows an unprivileged attacker to bypass security features via the network. (Fixed by Microsoft in February 2026) CVE-2026-21513 (CVSS Score: 8.8) – Failure in a protection mechanism in the MSHTML framework allows an unprivileged attacker to bypass security features via the network. (Fixed by Microsoft in February 2026)
It is also worth noting that the CVE-2026-21513 exploit was reported by a web infrastructure and security company early last month after discovering a malicious artifact in January 2026 and was associated with APT28.
CVE-2026-21510 Exploit
Targeting Ukraine and EU countries in December 2025, the campaign leverages malicious Windows Shortcuts (LNK) files to exploit two vulnerabilities that effectively bypass Microsoft Defender SmartScreen and enable the execution of attacker-controlled code.
“APT28 leverages the Windows shell’s namespace parsing mechanism to load dynamic link libraries (DLLs) from remote servers using UNC paths,” Dahan explained. “The DLL is loaded as part of the Control Panel (CPL) object without proper validation of the network zone.
According to Akamai, the February 2026 patch mitigates the risk of remote code execution by digitally signing CPL files and triggering a SmartScreen check on the zone of origin, but still allowed the victim machine to automatically retrieve CPL files by authenticating to the attacker’s server, resolving a Universal Naming Convention (UNC) path, and initiating an SMB connection without requiring user interaction.
“If that path is a UNC path (such as ‘\\attacker.com\share\payload.cpl’), Windows will initiate an SMB connection to the attacker’s server,” Dahan said. “This Server Message Block (SMB) connection triggers an automatic NTLM authentication handshake and sends the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks or offline cracking.”
“While Microsoft fixed the initial RCE (CVE-2026-21510), the authentication enforcement flaw (CVE-2026-32202) remained. The gap between path resolution and authenticity verification left a zero-click credential theft vector via automatically parsed LNK files.”
Source link
