Here's a nightmare scenario: You install the patch. Microsoft marks the vulnerability resolved. Your system is safe. Except it isn't — attackers can still steal your credentials without you clicking a thing.

That's exactly what happened with CVE-2026-32202, a vulnerability that only exists because February's Patch Tuesday didn't actually fix everything. And now Russian state hackers are exploiting it in the wild.

The Original Attack: APT28's LNK Chain

In December 2025, Russia's APT28 (Fancy Bear / Forest Blizzard) launched a phishing campaign targeting Ukraine and EU countries. The bait? Weaponized LNK shortcut files pretending to be from Ukraine's hydro-meteorological center.

These weren't normal shortcuts. They chained two vulnerabilities:

  • CVE-2026-21513 — An MSHTML security feature bypass
  • CVE-2026-21510 — A Windows Shell flaw

Together, they bypassed Microsoft Defender SmartScreen and executed remote code stored on attacker-controlled servers. The victim only had to open a shortcut file. That's it.

Microsoft Patched It. Mostly.

Microsoft released fixes for both CVEs in February 2026. The remote code execution path? Closed. The SmartScreen bypass? Patched. Security teams breathed a sigh of relief.

But researchers at Akamai weren't convinced. They ran a differential analysis on the patch using their PatchDiff-AI tool. What they found should terrify anyone who trusts vendor patches blindly.

The gap: While SmartScreen now enforced scanning of CPL files loaded via shell namespace parsing, the authentication handshake happened before that check. The victim machine was still authenticating to the attacker's server during path resolution — before trust verification ever fired.

CVE-2026-32202: Zero-Click Credential Theft

This residual flaw didn't need you to execute anything. Simply parsing the malicious LNK file's UNC path triggered an automatic authentication to the attacker's server, leaking Net-NTLMv2 hashes. No clicks. No warnings. Just silent credential exposure.

Akamai responsibly disclosed this to Microsoft. The result: CVE-2026-32202, patched in April 2026 Patch Tuesday, marked as exploited in the wild on April 27, and added to CISA's Known Exploited Vulnerabilities catalog on April 28.

Federal deadline for patch compliance: May 12, 2026.

Why This Matters More Than Typical CVEs

This isn't just another vulnerability. It's a case study in why patch verification matters as much as patch deployment:

  • Trust but verify: Microsoft's fix closed the RCE path but left the authentication coercion vector wide open
  • Zero-click damage: No user interaction required — just having the file on your system is enough
  • Active exploitation: APT28 and potentially others are already using this in campaigns
  • Nation-state targeting: The original campaign targeted critical infrastructure and government entities

The Technical Details

The vulnerability lives in how Windows Shell parses LNK files containing UNC paths. When Windows resolves the path to display the shortcut's icon or metadata, it initiates an SMB connection to the remote server. That connection authenticates using the current user's credentials — before any security checks validate whether that connection should be allowed.

Think of it like your front door: Microsoft fixed the lock (RCE), but left the mail slot open (authentication coercion). Attackers can't walk in anymore, but they can still peek at your keys.

What You Should Do Right Now

If you're running Windows in an enterprise environment:

  1. Patch immediately: April 2026 Patch Tuesday contains the fix for CVE-2026-32202
  2. Block outbound SMB: Prevent NTLM authentication to external servers at the firewall level
  3. Disable NTLM where possible: Move to Kerberos for internal authentication
  4. Audit for suspicious LNK files: Scan for shortcuts containing UNC paths to external servers
  5. Enable SMB signing: Prevents relay attacks using captured hashes

The Bigger Picture

This incident reveals something uncomfortable about modern security: even when vendors respond quickly to zero-days, the fixes aren't always complete. The gap between "patched" and "actually secure" can be weeks — and attackers know it.

APT28 certainly knew. They didn't need to find a new vulnerability; they just needed to look at what Microsoft didn't fix.

For security teams, the lesson is clear: patch Tuesday is just the beginning. Differential analysis, attack surface validation, and continuous threat modeling aren't optional extras anymore — they're the difference between being secure and being patched.

Sources & References

Stay paranoid. The patches aren't always what they seem.