Microsoft has officially updated its security advisory to confirm that a recently patched vulnerability in Windows Shell has been actively exploited in real-world attacks. The flaw, identified as CVE-2026-32202, highlights ongoing risks within Windows environments despite recent security updates.
Details of the Vulnerability
The issue, assigned a CVSS score of 4.3, is categorized as a spoofing vulnerability. It enables attackers to access limited sensitive information by tricking users into interacting with specially crafted malicious files. This flaw was addressed in Microsoft’s latest Patch Tuesday release.
According to Microsoft, the vulnerability stems from a failure in a protection mechanism within Windows Shell. Exploitation requires the attacker to deliver a malicious file that must be executed by the victim. While attackers can gain access to certain confidential data, they are unable to modify it or disrupt system availability.
Correction to Security Advisory
On April 27, 2026, Microsoft revised key details in its original report published earlier in the month. The company corrected inaccuracies related to the Exploitability Index, exploited status, and CVSS vector, clarifying that the vulnerability had indeed been used in active attacks.
Link to Previous Vulnerabilities
Security researcher Maor Dahan from Akamai, who discovered the flaw, explained that the vulnerability originates from an incomplete fix for a previously disclosed issue, CVE-2026-21510.
This earlier vulnerability, along with CVE-2026-21513, had already been exploited by a well-known threat actor group identified as APT28, also referred to as Fancy Bear and Pawn Storm. These vulnerabilities were part of a coordinated exploit chain targeting high-value systems.
- CVE-2026-21510 allowed attackers to bypass security features within Windows Shell
- CVE-2026-21513 impacted the MSHTML framework with similar bypass capabilities
Both issues were patched in February 2026.
Attack Method and Campaign Insights
Investigations revealed that attackers used malicious Windows Shortcut (LNK) files to exploit these vulnerabilities. This technique allowed them to bypass Microsoft Defender SmartScreen protections and execute malicious code without raising immediate suspicion.
The attack campaign, observed in late 2025, primarily targeted organizations in Ukraine and European Union countries. It relied on Windows Shell’s handling of file paths to load malicious dynamic-link libraries from remote servers.
Technical Breakdown of the Exploit
The attack leverages a UNC path to connect victim systems to attacker-controlled servers. When the system processes such a path, it automatically initiates an SMB connection.
This behavior triggers an NTLM authentication process, which unintentionally sends the victim’s Net-NTLMv2 hash to the attacker. These credentials can later be exploited through relay attacks or offline cracking techniques.
Although Microsoft’s earlier patch addressed the risk of remote code execution, it did not fully eliminate the underlying issue. The remaining flaw, now tracked as CVE-2026-32202, allows attackers to coerce authentication without any user interaction.
Security Implications
This vulnerability demonstrates how partial fixes can leave systems exposed to new attack vectors. Even without full system compromise, credential theft can provide attackers with a foothold for further intrusion.
Organizations are strongly advised to apply all recent security updates and monitor network activity for unusual SMB connections or unauthorized authentication attempts.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
