Chronology: from CVE-2026-21510 to zero-clickvector CVE-2026-32202
To disassembleCVE-2026-32202, you need to unwind the chain from January 2026 - itwas then that APT28 began to use a bundle of two vulnerabilities inthe campaign against Ukraine and the EU countries.
January 2026.According to CERT-UA (through Akamai report), APT28 (Fancy Bear /Forest Blizzard) launches a targeted campaign. The attack is built ona bunch of two CVE:
• CVE-2026-21513(MSHTML Framework, CVSS 8.8, CWE-693) - bypassing the securityof the MSHTML Framework. An unauthorized attacker receivesbypass security features through the network. It is used to bypassMark of the Web and SmartScreen in the Processing of the Criminalcontent.
• CVE-2026-21510Windows Shell, CVSS 8.8, CWE-693) - bypassing the securityof Windows Shell. CVSS vector:AV:N/AC:C/C/C/P:C/H/H:H:H is a complete ofconfidentiality, integrity and accessibility.
The phishingletter is disguised as a newsletter of the Ukrainianhydrometeorological center. Inside - weaponized LNK file:CVE-2026-21513 removes MotW-checks, CVE-2026-21510 bypassesSmartScreen. The result is a durable code execution without Windowsprotection.
February 10, 2026(Patch Tuesday). Microsoft releases patches for both CVE.CVE-2026-21510 is one of the six actively operated zero-day, closedin this update. Patch added a SmartScreen check for CPL filesdownloaded through the UNC track from LNK and blocked the RCE vector.
February-March2026. Dahan and colleagues from Akamai are testing the February fix.Key observation - I quote Dahan (according to The Register): "Whilethe patch, we see, we see the thing: the victim is still to beauthenticating to the attacker's server." The patch eliminatedthe execution of the code and bypass of the SmartScreen, but did notaffect the authentication mechanism - exactly the techniques wherethe regular components of Windows are used against the system itself,are dismantled in Guide to living off the land attacks Windows.Windows Shell continued to resolore the UNC-path from .lnk andinitiate SMB-hundishik to the attacker’s server.
April 14, 2026(Patch Tuesday). Microsoft publishes CVE-2026-32202 with CVSS 4.3(MEDIUM). NVD: “Protection mechanism fails in Windows Shell tospo-photing over a network.” CWE-693 (Protection MechanismFailure). In the first publication, the operating index and the CVSSvector were incorrect.
27 April 2026.Microsoft is updating the bulletin: corrects the operating index,CVSS vector, adds the flag “Exploitation Detected”.
29 April 2026.CISA adds CVE-2026-32202 to the KEV catalog with a deadline on May 12for federal agencies.
The incompletepatch of February turned high-soverity RCE (CVSS 8.8) into amedium-severity spoofing (CVSS 4.3), but the zero-click theft vectorof account remained. It has become safer, but not safe.
X-Click AttackMechanics: How Windows Shell Processes LNK Files
Window betweenpath resolution and trust verification
The essence of theLNK-file of the vulnerability is in the order of operations withinWindows Shell.
When meeting witha label (.lnk) Windows Shell performs a namespace parsing - ananalysis of the target path, which is indicated by the label. If thepath contains an UNC-link (type \\attacker.com\share\payload.cplShellis trying to resoble it. And UNC-way resowing is the installation ofan SMB connection with a remote server.
Critical detail:this process occurs Early in the processing chain - before trustverification, which is performed by SmartScreen. According to Akamai,when called ShellExecuteExW - API functions through which WindowsShell processes objects - UNC-path will be resolved and the SMBconnection is initiated even before the SmartScreen or MotW-checkingshave time to intervene. Dahan describes it as “gap between pathresolution and trust verification.”
In practice, thesequence is as follows:
1. Theattacker creates a .lnk-file with a target route on the UNC-resourceunder its control
2. The file isdelivered to the victim (phishing, network ball, USB)
3. The victimopens a folder containing .lnk, in Windows Explorer
4. Explorerautomatically parsite .lnk to display icon and metadata
5. Whenparsing Shell resole UNC-way, initiates an SMB connection, sendsNTLM-handishak
6. SmartScreendoes not interfere - authentication occurred at the stage of pathresolution
Paragraph 3 is thekey. The victim does not need to click on .lnk, no need to run it. Itis enough to open the folder. Windows Explorer automaticallyprocesses .lnk when rendering the directory content. Hence"zero-click" in the description of the attack.
The differencefrom the predecessor of CVE-2026-21510: he gave a full-fledged bypassSmartScreen protection with the subsequent RCE. CVE-2026-32202 doesnot allow you to execute the code - only forces the system toauthenticate. But coerced authentication in a domain environment withNTLM is credential harvesting, and then relay or offline-selection.
Why CVSS 4.3 doesnot reflect the real danger
CVSS-vectorCVE-2026-32202 according to NVD:CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N.
UI:R - Microsoftin the bulletin formulates: "The attacker needs to send thevictim a malicious file that the victim will have to run." Inpractice (and this was shown by APT28 attacks, and the Akamai study)Windows processes .lnk automatically when you navigate the folder."Start" here - opening the folder in Explorer, not a doubleclick on the file. According to UI:R documents, in fact - zero-clickvulnerability Windows.
C:L (LowConfidentiality) also understates the picture. The "only"Net-NTLMv2-hash leaks, but with it you can:
• PerformNTLM relay to other services in a domain (lateral movement throughNTLM hash)
• Startoffline-selection of password (hack -m 5600or John the Ripper)
• Authenticateon behalf of the victim in NTLM systems
In the domaininfrastructure, where NTLM is not disconnected (and these - most),the hash of one user can open access to mail, file servers, internalweb applications. Rating 4.3 does not take into account the cascadingeffect - and this, to put it mildly, irritates.
NTLM coercion viaWindows Shell: from UNC-path to lateral movement
What is happeningat the network level
When Windows Shellresorts the UNC-path from .lnk, the OS initiates the SMB connectionto the specified host. For external IP Kerberos is not available, soSMB falls on NTLM. Next - standard challenge-response:
1. Customer(victim) sends NEGOTIATE_MESSAGE to the SMB-server of the attacker
2. The servermeets CHALLENGE_MESSAGE with an 8-byte nonce
3. The clientcalculates the response based on password hash and sendsAUTHENTICATE_MESSAGE - it contains Net-NTLMv2-hash
It is enough forthe attacker to raise the SMB-listener (Responder fromSpiderLabs/Responder or ntlmrelayx.py from fortra/impacket) tointercept the third message. The whole process is milliseconds. Theuser sees neither windows nor warnings.
NTLM relay andoffline selection: what to do with a stolen hash
NTLM relay (inlandpentest, elements movement). Intercepted Net-NTLMv2-hash istransmitted in real time to the target service - Exchange, LDAP,SMB-ball, web-application with NTLM-authentiation. ntlmrelayx.pyAutomated by relay. The attacker is authenticated on behalf of thevictim without probing the password.
Restrictions:relay works only in the absence of Extended Protection forAuthentication (EPA) or SMB Signing on the target service. In legacyinfrastructures (Windows Server 2012/2016 without hardening) iscommonplace. In modern environments with forced SMB signing relay isblocked. In practice, I meet the first thing more often than thesecond.
Offline-selection(any context). Net-NTLMv2-hash is subjected to a brute-force ordictionary attack. The speed depends on the complexity of thepassword and the GPU: a weak password (8 characters, without specialsymbols) on the average GPU is selected for hours. A complex passwordwith 12+ characters may not be appropriate for selection.
Chain APT28:Windows Shell Spoofing attack in real campaigns
APT28 used thisclass of vulnerabilities in a confirmed campaign. According to Akamaiand CERT-UA, kill chain looked like this:
1. Initialaccess - a phishing letter with the topic about the Ukrainianhydrometeorological center (social engineering under the currentagenda - classic APT28)
2. Delivery -weaponsized LNK file in an attachment that operates CVE-2026-21513(MSHTML, CVSS 8.8) to bypass MotW-checks
3.Exploitation - chain with CVE-2026-21510 (Windows Shell, CVSS 8.8) tobypass Defender SmartScreen and code execution
4.Post-exploitation - fixing and collecting data on compromised systems
After the Februarypatch, the RCE vector closed, but CVE-2026-32202 retained thecredentialing harvestLM in the same zero-click scenario. Microsoftconfirmed the active operation on April 27, not naming specificattackers for the new CVE. The Register reasonably involves aconnection with APT28 - the vulnerability has grown from the samecode base.
From the point ofview of MITRE ATT&CK, the chain covers:
• ImpassDefenses (T1562, Defense Evasion) - bypassing SmartScreen and ShellSecurity Mechanisms
• Exploitationfor Client Execution (T1203, Execution) - Action of ClientSoftware through .lnk Processing
Forcredential-stealing component CVE-2026-32202, the most relevanttactic Credential Access -forced authentication through automaticSMB-handshake when serving LNK.
What will light upin EDR and SIEM when operating LNK-vulnerability
For pentestersverifying detecting detecting the detects on the customer side, andfor the blue team - key operating indicators CVE-2026-32202.
Existing SMB toatypical hosts. Explorer.exe initiates TCP 445 to an external IP or aunfamiliar host within the network. In regular mode, Explorer doesnot install SMB connections with external addresses. Sysmon Event ID3 (Network Connection) explorer.exe with a destination port 445 to anon-local address - one of the reliable indicators.
Absence of childprocesses. In contrast to the CVE-2026-21510, where after thebypassing SmartScreen, payload was launched, CVE-2026-32202 does notgenerate child processes. Process tree looks clean - only networkactivity explorer.exe. This is a headache for EDR, sharpened underthe process creation events.
Windows EventLogs. Event ID 4648 (Logon using explicit credentials) and 4624 type3 (Network logon) can record the fact of authentication, but onlywith the Logon Events audited. In legacy infrastructures, this auditis often limited.
What to do withit:
• Rule inSIEM: explorer.exewith outbound TCP 445 to the address the outsidesubnet list - high priority
• Lockingoutgoing SMB (TCP 445, TCP 139) on perimeter firewall - closes theExternal vector NTLM coercion
• DisablingNTLM via GPO with transition to Kerberos-only authentication -but closes the whole class of NTM relay attacks ofWindows, not only CVE-2026-32202
• EnableSMB Signing and EPA on all servers - blocks relay even when leakinghunch
Restrictions oftechnology and the context of applicability
Modern EDR (CrowdStrike Falcon, Microsoft Defender for Endpoint, Elastic Security) arecapable of detecting abnormal network connections from explorer.exe.But the specific result depends on the configuration: if the EDRmonitors only the creation process, not network connections - NTLMcoercion will pass undetected. Defender for Endpoint after updatingthe signatures detects this CVE, but in the zero-day window (beforethe publication of the signature) you have to rely on thebehavior-based rules for explorer.exe with outbound SMB.
Incomplete patchesare not a single bug, but a systemic problem of Microsoft’sapproach to fixing Windows Shell vulnerabilities. The developer ofthe February fix focused on blocking the RCE - the most obviousresult of operation. The authentication side effect did not fall intothe model of the patch threat. Dahan discovered CVE-2026-32202literally when testing a fix - this is not a deep rearc, and thestandard check was "also closed", which, judging by theresult, did not conduct inside Microsoft. Offensive? Yes. Amazing?No.
