The Hidden Risks of Malicious LNK Files in Windows
Microsoft has confirmed active exploitation of a Windows Shell vulnerability that emerged from an incomplete security patch, enabling attackers to steal user credentials without any interaction from victims.
The vulnerability, tracked as CVE-2026-32202, was patched as part of Microsoft's April 2026 Patch Tuesday update and stems from a flawed fix for CVE-2026-21510, a Windows Shell security feature bypass that Microsoft addressed in February 2026. On Monday, Microsoft revised its advisory for CVE-2026-32202 to acknowledge that the flaw has been actively exploited in the wild.
From One-Click to Zero-Click
Security researcher Maor Dahan from Akamai discovered that the February patch, while successfully mitigating the remote code execution path by enforcing SmartScreen verification, left a critical gap: victim machines were still authenticating to attacker-controlled servers.
The problem lies in how Windows Explorer handles malicious shortcut (LNK) files. When rendering the contents of a folder containing a crafted LNK file, Windows Explorer asks the shell to fetch an icon from a UNC path, triggering a server message block (SMB) connection to the attacker's server — all without user interaction. That connection "triggers an automatic NTLM authentication handshake, sending the victim's Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking," Akamai explained.
Akamai had disclosed the incomplete patch to Microsoft before going public, noting it withheld details about CVE-2026-21510 in its earlier February reporting on the related CVE-2026-21513 MSHTML vulnerability precisely because it had already identified the patch failure.
APT28's Campaign Against Ukraine and Europe
According to Akamai, these vulnerabilities were likely exploited by Russian nation-state group APT28 — also known as Fancy Bear and Forest Blizzard — beginning in December 2025 in attacks targeting Ukraine and European Union countries. The campaign used weaponized LNK files that chained CVE-2026-21513 and CVE-2026-21510 to bypass Windows security features and achieve remote code execution.
"APT28 leverages the Windows shell namespace parsing mechanism to load a dynamic link library from a remote server using a UNC path," Akamai said. "The DLL is loaded as part of the Control Panel objects without proper network zone validation."
Broad Impact and Patching Urgency
CVE-2026-32202 affects a wide range of Windows systems, including Windows 10, Windows 11, and multiple Windows Server versions. The U.S. Cybersecurity and Infrastructure Security Agency had already added the original CVE-2026-21510 to its Known Exploited Vulnerabilities catalog in February with a remediation deadline of March 3, 2026. Organizations that have not yet applied April's updates remain exposed to the zero-click credential theft attack.
