Akamai researchers discovered that Microsoft’s initial patch for CVE-2026-21510, a vulnerability exploited by the threat actor APT28 (Fancy Bear) was incomplete. While the fix addressed Remote Code Execution (RCE), it left a zero-click authentication coercion vulnerability now tracked as CVE-2026-32202.
Severity: High
Threat Actor
APT28 (aka Fancy Bear) a Russian state-sponsored threat actor. Initial campaign targeted Ukraine and several EU countries in December 2025.
Vulnerability Chain
| CVE ID | Type | Status |
| CVE-2026-21513 | LNK-based initial execution | Patched (Feb 2026 Patch Tuesday) |
| CVE-2026-21510 | SmartScreen bypass + RCE via CPL/UNC | Patched (Feb 2026 Patch Tuesday) |
| CVE-2026-32202 | Zero-click NTLM authentication coercion | Newly disclosed (Apr 23, 2026) |
Attack Mechanism
Original Exploit (CVE-2026-21510):
- A weaponized .LNK file contains a malicious LinkTargetIDList structure.
- APT28 abuses Windows shell namespace parsing to embed a UNC path inside a _IDCONTROLW structure, disguised as a Control Panel (CPL) object.
- Windows loads the remote DLL without SmartScreen or Mark-of-the-Web (MotW) validation.
Residual Vulnerability (CVE-2026-32202 — the incomplete patch):
- Microsoft’s fix added a new COM object (ControlPanelLinkSite) that gates SmartScreen verification via ShellExecuteExW, but this fires too late in the execution chain.
- Earlier in the chain, CControlPanelFolder::GetUIObjectOf calls PathFileExistsW inside GetModuleMapped to resolve the UNC path for icon extraction.
- This triggers an SMB connection to the attacker’s server the moment Explorer renders the folder — no user click required.
- The SMB handshake leaks the victim’s NetNTLMv2 hash, enabling NTLM relay attacks and offline password cracking.
Key Technical Indicators
- Attack vector: Malicious .LNK file with embedded UNC path (e.g., \attacker.com\share\payload.cpl)
- Trigger condition: Victim navigates to a folder containing the LNK — zero clicks needed
- Credential exposure: NetNTLMv2 hash sent automatically via SMB
- Affected component: shell32.dll — CControlPanelFolder::GetUIObjectOf
Recommendations
- Apply April 2026 patches addressing CVE-2026-32202 immediately.
- Block outbound SMB (port 445/139) at the perimeter and endpoint firewall.
- Disable NTLM where possible or enforce NTLM signing to mitigate relay attacks.
- Monitor for outbound UNC/SMB connections originating from Explorer processes.
Source:
- https://www.akamai.com/blog/security-research/2026/apr/incomplete-patch-apt28s-zero-day-cve-2026-32202
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21510
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21513
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.