Microsoft has confirmed that CVE-2026-32202, a Windows Shell spoofing vulnerability patched on April 14, 2026, is being actively exploited in the wild, with threat intelligence linking attacks to the Russian state-sponsored group APT28 targeting government, military, and critical infrastructure organizations.
CVE-2026-32202 is a protection mechanism failure (CWE-693) in the Windows Shell component that allows an unauthenticated remote attacker to spoof network traffic.
Assigned a CVSS 3.1 base score of 4.3 (Medium/Important), the vulnerability has a Network attack vector, Low complexity, and no privilege requirements, making it accessible to a broad range of attackers without requiring an existing foothold on the target system.
Windows Shell Spoofing Flaw
Microsoft originally published the advisory on April 14, 2026, as part of its April 2026 Patch Tuesday, which addressed a record 167–168 vulnerabilities across the Windows ecosystem.
On April 27, 2026, Microsoft issued an update to correct the Exploitability Index, Exploited flag, and CVSS vector string, which had been inaccurate at the time of original publication, and confirmed that the vulnerability was under active exploitation.
Security researchers at Akamai, specifically researcher Maor Dahan, credited with discovering the flaw, revealed that CVE-2026-32202 effectively bypasses the February 2026 patch for CVE-2026-21510.
That earlier vulnerability (CVSS 8.8) was a protection mechanism failure in Windows Shell that allowed unauthorized attackers to bypass security features over a network.
Microsoft’s February fix attempted to mitigate CVE-2026-21510 by triggering a SmartScreen check of CPL file digital signatures and origin zones.
However, Akamai found the patch was incomplete: the victim machine would still authenticate to an attacker-controlled server and automatically fetch a CPL file by resolving a Universal Naming Convention (UNC) path, thereby initiating an SMB connection, all without requiring explicit user interaction in certain conditions.
This creates what researchers describe as a “zero-click” credential theft vector. During the SMB handshake, the victim system inadvertently transmits a hashed version of its credentials (Net-NTLMv2) to the attacker’s server. Those hashes can be weaponized in follow-on attacks, including NTLM relay attacks or offline password cracking.
Threat intelligence sources, including data aggregated by Feedly’s vulnerability intelligence platform, have identified APT28, also known as Fancy Bear and Forest Blizzard, as an active exploiter of CVE-2026-32202.
The vulnerability has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating that U.S. federal agencies are required to apply mitigations under Binding Operational Directive 22-01.
Even though CVE-2026-32202 has a moderate CVSS score, its role in multi-stage attack chains, specifically as a credential harvesting stepping stone, dramatically elevates its real-world threat profile.
How the Attack Works
The exploitation chain for CVE-2026-32202 follows a targeted social engineering vector:
- An attacker crafts and delivers a malicious file (such as a CPL file) to the victim via email, phishing page, or file-sharing platform.
- The victim executes the file, triggering Windows Shell to resolve a UNC path and initiate an SMB connection to an attacker-controlled server.
- During the SMB authentication handshake, the victim’s system transmits a Net-NTLMv2 hash of the user’s credentials.
- The attacker captures the hash and uses it for relay attacks or offline brute-force cracking to achieve lateral movement or full domain compromise.
Affected Products and Available Patches
The vulnerability spans a wide range of Windows platforms. Microsoft released security updates on April 14, 2026, for all affected versions:
| Platform | KB Article | Build Number |
|---|---|---|
| Windows 11 26H1 (x64 / ARM64) | KB5083768 | 10.0.28000.1836 |
| Windows 11 25H2 / 24H2 | KB5083769 | 10.0.26200/26100.8246 |
| Windows 11 23H2 | KB5082052 | 10.0.22631.6936 |
| Windows Server 2025 | KB5082063 | 10.0.26100.32690 |
| Windows Server 2022 | KB5082142 | 10.0.20348.5020 |
| Windows Server 2019 | KB5082123 | 10.0.17763.8644 |
| Windows Server 2016 | KB5082198 | 10.0.14393.9060 |
| Windows 10 (21H2/22H2) | KB5082200 | 10.0.19044/45.7184 |
| Windows Server 2012 / R2 | KB5082127 / KB5082126 | 6.2.9200 / 6.3.9600 |
Immediate Mitigation Steps
Organizations should prioritize the following actions without delay:
- Apply patches immediately, and install the applicable KB updates listed above via Windows Update or WSUS for all affected endpoints and servers.
- Block outbound SMB (port 445) at the network perimeter to prevent UNC-path-triggered credential leakage to external attacker infrastructure.
- Enable NTLM relay protections, including Extended Protection for Authentication (EPA) and SMB signing, to reduce the impact of captured Net-NTLMv2 hashes.
- Monitor for anomalous SMB connections originating from endpoints, particularly those resolving unexpected UNC paths following file execution events.
- Deploy phishing-resistant MFA across all user accounts to limit attacker leverage even if credential hashes are captured.
FAQ
Q1: Is CVE-2026-32202 being actively exploited?
Yes, Microsoft confirmed active in-the-wild exploitation on April 27, 2026, and CISA added it to the Known Exploited Vulnerabilities catalog.
Q2: Does CVE-2026-32202 allow remote code execution?
No, it enables spoofing and credential theft (Net-NTLMv2 hash), not direct code execution, though captured credentials can enable deeper compromise.
Q3: What user interaction does CVE-2026-32202 require?
An attacker must send the victim a malicious file, which the victim executes; however, credential leakage via SMB can occur with minimal user awareness once triggered.
Q4: Which threat actor is exploiting CVE-2026-32202?
APT28 (Fancy Bear / Forest Blizzard), a Russian state-sponsored group, has been identified as actively exploiting this vulnerability in espionage campaigns.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.About the Author
