Microsoft's patch for a 0-day exploited by Russian spies fell short. Another Windows flaw is under attack

Summary

A new zero-click Windows Shell vulnerability, tracked as CVE-2026-32202, is currently being exploited in the wild. The flaw is the result of an incomplete patch for CVE-2026-21510 and allows attackers to coerce authentication to expose sensitive information.

Key Points

• CVE-2026-32202 is an authentication coercion flaw within the Windows Shell.
• The vulnerability is a zero-click exploit that can be triggered via auto-parsed LNK files.
• The flaw originated from an incomplete fix for CVE-2002-21510, which was addressed in the February Patch Tuesday update.
• Successful exploitation allows attackers to capture Net-NTLMv2 hashes via network spoofing.
• CISA has added CVE-2026-32202 to its Known Exploited Vulnerabilities catalog, with a remediation deadline of May 12.

Technical Details

The vulnerability stems from a gap between path resolution and trust verification within the Windows Shell. While the February patch for CVE-2026-21510 successfully mitigated remote code execution (RCE) and SmartScreen bypasses, it failed to prevent the victim machine from automatically authenticating to an attacker-controlled server.

An attacker can leverage auto-parsed LNK files to trigger this authentication coercion. By using network spoofing techniques, the attacker forces the victim's machine to attempt authentication against a malicious server, effectively leaking the user's Net-NTLMv2 hash. This captured authentication data can then be used to impersonate the user, access sensitive information, and facilitate lateral movement within the network.

Impact / Why It Matters

This vulnerability enables zero-click credential theft and unauthorized network access, posing a high risk to environments where Net-NTLMv2 hashes can be intercepted. System administrators and developers must ensure all Windows systems are updated to address the authentication coercion vector.