Incomplete patch for a Home windows SmartScreen and Home windows Shell security prompts bypass created a brand new bug enabling zero-click assaults, Akamai studies.
The preliminary vulnerability, tracked as CVE-2026-21510 and patched in February, could possibly be exploited for distant code execution (RCE) if the attacker may persuade the sufferer to open a malicious shortcut file.
Microsoft warned on the time that the flaw had been exploited as a zero-day, with out offering particulars on the noticed assaults.
Now, Akamai says Russia-linked APT28, also referred to as Fancy Bear, Forest Blizzard, GruesomeLarch, and Sofacy, exploited CVE-2026-21510 in assaults that additionally focused CVE-2026-21513, a security function bypass within the MSHTML framework patched in February as properly.
“An attacker may exploit this vulnerability by convincing a person to open a malicious HTML file or shortcut (.lnk) file delivered via a hyperlink, e-mail attachment, or obtain. The specifically crafted file manipulates browser and Home windows Shell dealing with, inflicting the content material to be executed by the working system,” Microsoft explains in its advisory.
Akamai attributed CVE-2026-21513’s exploitation to APT28 in late February, however didn’t point out CVE-2026-21510, as a result of it had beforehand found the unfinished patch.
The dearth of correct patching, it says, resulted in a brand new vulnerability, tracked as CVE-2026-32202, an authentication coercion vulnerability that may be exploited with out person interplay to steal credentials by way of auto-parsed LNK information.
“We then discovered an incomplete patch and disclosed it to Microsoft. The brand new vulnerability, CVE-2026-32202, brought about the sufferer to authenticate the attacker’s server with out person interplay (zero click on),” Akamai says.
Microsoft launched fixes for CVE-2026-32202 as a part of the April 2026 patches. Its advisory flags the security defect as exploited, however doesn’t element the noticed assaults.
In accordance with Akamai, these vulnerabilities had been seemingly exploited by APT28 in December 2025, in assaults towards Ukraine and European Union nations.
As a part of the marketing campaign, the APT used weaponized LNK information that chained CVE-2026-21513 and CVE-2026-21510 to bypass Home windows’ security options and obtain distant code execution (RCE).
“APT28 leverages the Home windows shell namespace parsing mechanism to load a dynamic hyperlink library (DLL) from a distant server utilizing a UNC path. The DLL is loaded as a part of the Management Panel (CPL) objects with out correct community zone validation,” Akamai explains.
Evaluation of the patches rolled out in February revealed that, whereas the RCE path was mitigated by imposing SmartScreen verification of the file’s digital signature and origin zone, “the sufferer machine was nonetheless authenticating to the attacker’s server.”
The problem, Akamai says, is that the belief verification would fireplace throughout a name on the finish of the launch chain, lacking an earlier stage within the chain.
When rendering the contents of the folder containing the malicious LNK file, Home windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server with out person interplay.
The “connection triggers an automated NTLM authentication handshake, sending the sufferer’s Internet-NTLMv2 hash to the attacker, which might later be used for NTLM relay assaults and offline cracking,” Akamai notes.
