Windows Shell bug CVE-2026-32202 used to steal NTLM hashes
Microsoft confirmed active exploitation of patched Windows Shell flaw CVE-2026-32202 that auto‑triggered SMB and exposed Net‑NTLMv2 hashes via malicious LNK files.
Microsoft on April 27, 2026 revised an advisory for a Windows Shell flaw tracked as CVE-2026-32202 to acknowledge active exploitation in the wild. The vulnerability, assigned a CVSS score of 4.3, was included in the April Patch Tuesday updates and described as a protection mechanism failure that could allow spoofing over a network. Microsoft said an attacker would need to send a malicious file that a victim executes and that the flaw could allow viewing some sensitive information without permitting changes or affecting availability.
Akamai security researcher Maor Dahan, credited with reporting the issue, linked the active abuse to an incomplete February 2026 patch for an earlier Windows Shell bug, CVE-2026-21510. According to Dahan, attackers used a malicious Windows Shortcut (LNK) file pointing to a UNC path such as \\attacker.com\share\payload.cpl. When Windows resolves that UNC path, it initiates an SMB connection and performs an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the remote server.
Dahan reported that the captured Net-NTLMv2 hashes can be used for NTLM relay attacks or for offline cracking. He said the campaign combined the incomplete CVE-2026-21510 fix with a related MSHTML flaw, CVE-2026-21513, and targeted systems in Ukraine and multiple European Union countries in December 2025. Both CVE-2026-21510 and CVE-2026-21513 were assigned CVSS scores of 8.8 and were patched by Microsoft in February 2026.
Akamai noted the February patch reduced the remote code execution risk by enforcing a SmartScreen check of CPL files’ digital signatures and origin zones, but it did not stop Windows from resolving UNC paths and initiating SMB authentication. Dahan described the remaining issue as an authentication coercion flaw that left a zero-click vector for credential theft via automatically parsed LNK files.
Microsoft’s advisory corrected the Exploitability Index, exploited flag and CVSS vector on April 27 after an earlier posting on April 14 contained errors. The company did not provide details about specific targets or sectors affected by the acknowledged exploitation. In its advisory Microsoft wrote, “Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network,” and clarified that disclosed information could be limited in scope.
Microsoft released updates in April that address CVE-2026-32202. Organizations are urged to apply those updates and to review network authentication and SMB exposure settings to reduce the risk of automatic NTLM authentication to untrusted servers.
