CVE-2026-32202

Overview

CVE-2026-32202 is a Windows Shell protection mechanism failure that allows an attacker to steal Net-NTLMv2 credential hashes from victims by tricking them into opening (or even simply viewing) a malicious Windows Shortcut (LNK) file. The vulnerability exists because Microsoft's February 2026 patch for an APT28-exploited zero-day (CVE-2026-21510) was incomplete: it added SmartScreen validation but still permitted the underlying NTLM authentication coercion.

Although its CVSS score is 4.3 (Medium), the real-world impact is significant: captured Net-NTLMv2 hashes can be cracked offline to recover plaintext passwords, or used directly in NTLM relay attacks to authenticate to other services on the network without knowing the password. This vulnerability has been linked to APT28 (Fancy Bear), a Russian state-sponsored threat group with a history of targeting government, military, and critical infrastructure.

Background: APT28's Zero-Day Chain

CVE-2026-32202 is the third act in a multi-step vulnerability chain that originated with Russian intelligence operations:

1. December 2025 — APT28 (also known as Fancy Bear, Forest Blizzard, GruesomeLarch) launches LNK-based attacks against Ukraine and EU nations, weaponizing CVE-2026-21510 and CVE-2026-21513 together. According to CERT-UA, the campaign used crafted Windows Shortcut files to trigger automatic NTLM authentication to attacker-controlled servers.

2. February 2026 — Microsoft patches CVE-2026-21510 and CVE-2026-21513 in the February 2026 Patch Tuesday. The fix added Microsoft Defender SmartScreen validation for the affected file-handling code path.

3. April 2026 — Maor Dahan, a Senior Security Researcher at Akamai, discovers that the February patch was incomplete. While SmartScreen now blocks execution of the malicious payload, the underlying Windows Shell namespace parser still resolves UNC paths and initiates an SMB authentication handshake before SmartScreen can intervene — leaking the victim's Net-NTLMv2 hash to the attacker's server.

Technical Details

Root cause (CWE-693): The Windows Shell namespace parsing mechanism processes UNC paths (e.g., \\attacker.com\share\file) embedded in LNK shortcut files. When Windows encounters such a path — even just while rendering an icon or file preview — it automatically initiates an SMB connection to resolve the remote resource. This SMB connection triggers NTLM authentication, sending the victim's Net-NTLMv2 hash to the attacker-controlled server.

The protection mechanism that should prevent this (SmartScreen, or path validation) fails to intercept the coercion before the NTLM handshake occurs. The result is a zero-click credential leak in contexts where LNK files are automatically parsed (e.g., opening a folder in Explorer, previewing a file).

Attack flow:

1. Attacker crafts a malicious .lnk file containing a UNC path pointing to an attacker-controlled SMB server
2. Victim receives the file (via email, file share, USB drive, cloud storage, etc.)
3. Windows Shell parses the LNK file — no double-click required if the folder is open in Explorer
4. Windows initiates SMB connection to the attacker's server
5. NTLM authentication handshake occurs automatically — the victim's Net-NTLMv2 hash is transmitted to the attacker
6. Attacker captures the hash and either: (a) cracks it offline to recover the plaintext password, or (b) relays it to authenticate to another service (NTLM relay attack)

CVSS context: The 4.3 Medium score reflects that the direct impact is limited to credential disclosure (C:L, I:N, A:N) and requires user interaction (UI:R — the victim must open or view the malicious file). However, the downstream impact of credential theft — lateral movement, further compromise, persistent access — can far exceed what the base score implies.

Affected Versions

All actively supported versions of Windows are affected. The April 2026 Patch Tuesday addresses CVE-2026-32202 across the following versions:

Discovery

The vulnerability was discovered by Maor Dahan, Senior Security Researcher at Akamai, while analyzing the completeness of Microsoft's February 2026 patches for the APT28 zero-day chain. Dahan's research — published in the Akamai blog post "A Shortcut to Coercion" — demonstrated that while the February patch blocked payload execution, it left the NTLM coercion channel fully open.

Exploitation Context

Active exploitation has been confirmed by Microsoft as of April 27, 2026. The CVE is a direct descendant of APT28's offensive toolkit, with the same LNK-based NTLM coercion technique used in documented campaigns against Ukrainian government targets and EU entities in December 2025.

Why this matters beyond APT28: Once a nation-state technique becomes publicly documented and patched, the underlying tradecraft propagates to criminal groups and commodity threat actors. NTLM credential coercion via LNK files is well-understood in offensive security tooling (Responder, Impacket), meaning this bypass is accessible to a wide range of attackers — not just sophisticated state actors.

What attackers do with captured hashes:

• Offline password cracking — Net-NTLMv2 hashes can be submitted to tools like Hashcat or cracked using cloud GPU instances, recovering the plaintext password if it is not sufficiently complex
• NTLM relay attacks — the captured hash can be relayed in real time to authenticate to Exchange, SharePoint, file servers, and other services that accept NTLM authentication, without ever knowing the plaintext password
• Targeted phishing follow-up — knowing a user's credentials enables highly credible spear-phishing or account takeover

Remediation

1. Apply the April 2026 Patch Tuesday update for your Windows version using the KB numbers in the table above. Verify via Settings → Windows Update or winver + wmic qfe list.
2. Disable NTLM where possible — consider enabling the "Network security: Restrict NTLM" Group Policy settings to block outbound NTLM authentication to external servers.
3. Block outbound SMB (TCP 445) at the firewall perimeter — prevents NTLM hash coercion to internet-hosted attacker servers. This is a critical defense-in-depth measure regardless of patch status.
4. Enable Extended Protection for Authentication (EPA) on Exchange, IIS, and other services that support it, to block NTLM relay attacks even if hashes are captured.
5. Deploy Microsoft Defender Credential Guard on Windows 11 and Windows Server 2019+ systems to prevent NTLM hash extraction from LSASS.
6. Monitor for suspicious SMB connections — outbound SMB to external or unexpected IP addresses is a strong indicator of NTLM coercion in progress.
7. Audit email and file-share delivery of LNK files — consider blocking .lnk attachments at the mail gateway and enforcing policies against opening shortcut files from untrusted sources.