Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Home windows Shell to acknowledge that it has been actively exploited within the wild.
The vulnerability in query is CVE-2026-32202 (CVSS rating: 4.3), a spoofing vulnerability that would permit an attacker to entry delicate data. It was addressed as a part of its Patch Tuesday replace for this month.
“Safety mechanism failure in Home windows Shell permits an unauthorized attacker to carry out spoofing over a community,” Microsoft famous in an alert. “An attacker must ship the sufferer a malicious file that the sufferer must execute.”
“An attacker who efficiently exploited the vulnerability may view some delicate data (Confidentiality) however not all sources inside the impacted part could also be divulged to the attacker. The attacker can’t make adjustments to disclosed data (Integrity) or restrict entry to the useful resource (Availability).”
On April 27, 2026, Microsoft stated it rectified the “Exploitability Index, Exploited flag, and CVSS vector” as they had been incorrect once they had been revealed on April 14.
Whereas the tech large didn’t share any particulars in regards to the exploitation exercise, Akamai security researcher Maor Dahan, who’s credited with discovering and reporting the bug, stated the zero-click vulnerability stems from an incomplete patch for CVE-2026-21510.
The latter has been weaponized by a Russian nation-state group tracked as APT28 (aka Fancy Bear, Forest Blizzard, GruesomeLarch, and Pawn Storm) together with CVE-2026-21513 as a part of an exploit chain –
- CVE-2026-21510 (CVSS rating: 8.8) – A safety mechanism failure in Home windows Shell that enables an unauthorized attacker to bypass a security function over a community. (Mounted by Microsoft in February 2026)
- CVE-2026-21513 (CVSS rating: 8.8) – A safety mechanism failure in MSHTML Framework that enables an unauthorized attacker to bypass a security function over a community. (Mounted by Microsoft in February 2026)
It is price noting that the abuse of CVE-2026-21513 was additionally flagged by the online infrastructure and security firm early final month, linking it to APT28 after unearthing a malicious artifact in January 2026.
 |
| CVE-2026-21510 Exploitation |
The marketing campaign, focusing on Ukraine and E.U. nations in December 2025, leverages a malicious Home windows Shortcut (LNK) file to take advantage of the 2 vulnerabilities, successfully bypassing Microsoft Defender SmartScreen and enabling attacker-controlled code to be executed.
“APT28 leverages the Home windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a distant server utilizing a UNC path,” Dahan defined. “The DLL is loaded as a part of the Management Panel (CPL) objects with out correct community zone validation.
Akamai stated the February 2026 patch, whereas mitigating the distant code execution danger by triggering a SmartScreen test of the CPL file’s digital signature and origin zone, nonetheless allowed the sufferer machine to authenticate to the attacker’s server and routinely fetch the CPL file by resolving the Common Naming Conference (UNC) path and initiating an SMB connection with out requiring person interplay.
“When that path is a UNC path (like ‘attacker.comsharepayload.cpl’), Home windows initiates an SMB connection to the attacker’s server,” Dahan stated. “This server message block (SMB) connection triggers an computerized NTLM authentication handshake, sending the sufferer’s Internet-NTLMv2 hash to the attacker, which may later be used for NTLM relay assaults and offline cracking.”
“Whereas Microsoft mounted the preliminary RCE (CVE-2026-21510), an authentication coercion flaw (CVE-2026-32202) remained. This hole between path decision and belief verification left a zero-click credential theft vector through auto-parsed LNK information.”
