★ 7/10 · Security · 2026-04-28

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

Microsoft has confirmed the active exploitation of CVE-2026-32202, a high-severity spoofing vulnerability within the Windows Shell. The flaw allows unauthorized attackers to access sensitive information by leveraging an...

Captured 2026-04-28 05:50

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

Summary

Microsoft has confirmed the active exploitation of CVE-2026-32202, a high-severity spoofing vulnerability within the Windows Shell. The flaw allows unauthorized attackers to access sensitive information by leveraging an incomplete patch from a previous security update.

Key Points

  • CVE Identifier: CVE-2026-32202 (CVSS score: 4.3).
  • Vulnerability Type: Protection mechanism failure leading to an authentication coercion flaw.
  • Exploit Chain: The vulnerability functions alongside CVE-2026-21510 (CVSS 8.8) and CVE-2026-21513 (CVSS 8.8).
  • Attack Vector: Execution of malicious Windows Shortcut (LNK) files containing Universal Naming Convention (UNC) paths.
  • Primary Risk: Theft of Net-NTLMv2 hashes via automated NTLM authentication handshakes.
  • Patch Status: Resolved in the April 2026 Patch Tuesday update.

Technical Details

The vulnerability arises from a gap in the Windows Shell namespace parsing mechanism during path resolution. While the February 2026 patch for CVE-2026-21510 mitigated remote code execution (RCE) by implementing SmartScreen checks for Control Panel (CPL) objects, it did not prevent the system from resolving remote paths. When a victim executes a malicious LNK file pointing to a UNC path (e.g., \\attacker.com\share\payload.cpl), the Windows Shell automatically initiates an SMB connection to the attacker-controlled server to resolve the path.

This automated SMB connection triggers an NTLM authentication handshake, during which the victim's machine transmits its Net-NTLMv2 hash to the remote server. This captured hash can be utilized by attackers for offline brute-force cracking or NTLM relay attacks. The flaw is characterized by a failure in network zone validation, where the system initiates the authentication process before verifying the trust level of the remote resource.

Impact / Why It Matters

Systems are vulnerable to credential theft and NTLM relay attacks if they remain unpatched against this authentication coercion flaw. Administrators must ensure the April 2026 security updates are applied to prevent attackers from harvesting Net-NTLMv2 hashes via malicious file execution.

security windows vulnerability

↳ Sources