Incomplete Patch for Windows Shell Bug Leads to New Zero-Day (CVE-2026-32202)

Published Date: April 28, 2026
Category: ShadowOpsIntel
Share:

Akamai researchers discovered that Microsoft’s initial patch for CVE-2026-21510, a vulnerability exploited by the threat actor APT28 (Fancy Bear) was incomplete. While the fix addressed Remote Code Execution (RCE), it left a zero-click authentication coercion vulnerability now tracked as CVE-2026-32202.

Severity: High

Threat Actor

APT28 (aka Fancy Bear) a Russian state-sponsored threat actor. Initial campaign targeted Ukraine and several EU countries in December 2025.

Vulnerability Chain

CVE IDTypeStatus
CVE-2026-21513LNK-based initial executionPatched (Feb 2026 Patch Tuesday)
CVE-2026-21510SmartScreen bypass + RCE via CPL/UNCPatched (Feb 2026 Patch Tuesday)
CVE-2026-32202Zero-click NTLM authentication coercionNewly disclosed (Apr 23, 2026)

Attack Mechanism

Original Exploit (CVE-2026-21510):

  • A weaponized .LNK file contains a malicious LinkTargetIDList structure.
  • APT28 abuses Windows shell namespace parsing to embed a UNC path inside a _IDCONTROLW structure, disguised as a Control Panel (CPL) object.
  • Windows loads the remote DLL without SmartScreen or Mark-of-the-Web (MotW) validation.

Residual Vulnerability (CVE-2026-32202 — the incomplete patch):

  • Microsoft’s fix added a new COM object (ControlPanelLinkSite) that gates SmartScreen verification via ShellExecuteExW, but this fires too late in the execution chain.
  • Earlier in the chain, CControlPanelFolder::GetUIObjectOf calls PathFileExistsW inside GetModuleMapped to resolve the UNC path for icon extraction.
  • This triggers an SMB connection to the attacker’s server the moment Explorer renders the folder — no user click required.
  • The SMB handshake leaks the victim’s NetNTLMv2 hash, enabling NTLM relay attacks and offline password cracking.

Key Technical Indicators

  • Attack vector: Malicious .LNK file with embedded UNC path (e.g., \attacker.com\share\payload.cpl)
  • Trigger condition: Victim navigates to a folder containing the LNK — zero clicks needed
  • Credential exposure: NetNTLMv2 hash sent automatically via SMB
  • Affected component: shell32.dll — CControlPanelFolder::GetUIObjectOf

Recommendations

  1. Apply April 2026 patches addressing CVE-2026-32202 immediately.
  2. Block outbound SMB (port 445/139) at the perimeter and endpoint firewall.
  3. Disable NTLM where possible or enforce NTLM signing to mitigate relay attacks.
  4. Monitor for outbound UNC/SMB connections originating from Explorer processes.

Source:

  • https://www.akamai.com/blog/security-research/2026/apr/incomplete-patch-apt28s-zero-day-cve-2026-32202
  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21510
  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202
  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21513

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

×

7th August 2026

New Delhi, India

Know more
Talk to an expert