Microsoft Confirms Active Exploitation of Windows Shell Vulnerability CVE-2026-32202

-

 

Microsoft has updated its security advisory to confirm that a recently patched Windows Shell vulnerability CVE-2026-32202 has been actively exploited in the wild. The flaw, which carries a CVSS score of 4.3, was originally addressed as part of Microsoft's April 2026 Patch Tuesday update, but the company quietly revised its advisory on April 27 after acknowledging that the original exploitability assessment had been published with incorrect information.

What Does the Vulnerability Do?

CVE-2026-32202 is a spoofing vulnerability rooted in a protection mechanism failure within Windows Shell. An attacker exploiting it over a network can access sensitive information on a victim's machine. To trigger the flaw, the attacker must send the victim a malicious file that the victim then opens. The impact is limited to data exposure the attacker cannot modify data or affect system availability, but in the context of how it is being chained with other vulnerabilities, the consequences are significant.

The APT28 Connection

According to Akamai security researcher Maor Dahan, who discovered and reported the bug, CVE-2026-32202 stems from an incomplete patch for an earlier flaw, CVE-2026-21510. That vulnerability had already been weaponized by the Russian state-sponsored hacking group APT28 (also known as Fancy Bear, Forest Blizzard, and Pawn Storm) in a campaign targeting Ukraine and European Union nations in late 2025.

In that campaign, APT28 combined CVE-2026-21510 with a second flaw, CVE-2026-21513 a protection mechanism failure in the MSHTML Framework using a malicious Windows Shortcut (LNK) file to deliver the exploit chain. The combination effectively bypassed Microsoft Defender SmartScreen and allowed attacker-controlled code to execute on victim machines. Both vulnerabilities were patched by Microsoft in February 2026.

Why the February Patch Was Not Enough

While the February 2026 patch addressed the remote code execution component of the original attack, it left a critical gap. When a victim opens a specially crafted LNK file containing a UNC path pointing to an attacker-controlled server, Windows automatically initiates an SMB connection to that server to resolve the path without requiring any additional user interaction. This SMB handshake triggers automatic NTLM authentication, silently sending the victim's Net-NTLMv2 credential hash to the attacker.

Those hashes can then be used in NTLM relay attacks or cracked offline to recover plaintext passwords. This zero-click credential theft vector the gap left between path resolution and trust verification — is precisely what CVE-2026-32202 represents, and it remained unaddressed even after the original exploit chain was patched.

What to Do

Organizations running Windows should ensure they have applied the full April 2026 Patch Tuesday update, which includes the fix for CVE-2026-32202. Security teams should also monitor for unusual outbound SMB traffic, enforce SMB signing across the network, and consider blocking outbound connections on ports 445 and 139 where possible to reduce exposure to NTLM relay attacks.


Resources

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more