Microsoft fixed a security flaw in February. Attackers found a way around it. Now the company has admitted the incomplete patch left a different vulnerability open and that vulnerability is being exploited right now.
On April 27, 2026, Microsoft revised its advisory for CVE-2026-32202, a Windows Shell spoofing vulnerability. The company acknowledged that the Windows Shell spoofing vulnerability exploited in the wild carries a CVSS score of 4.3. It was originally patched as part of the April 2026 Patch Tuesday update.
But the story is more complicated than a simple bug fix. The vulnerability exists because Microsoft's February 2026 patch for a related flaw CVE-2026-21510 was incomplete.
What Is CVE-2026-32202?
The Windows Shell spoofing vulnerability exploited by attackers is officially described as a protection mechanism failure. An unauthorized attacker can perform spoofing over a network by sending a malicious file to a victim. The victim must execute the file for the attack to work.
Once exploited, an attacker could view some sensitive information. However, Microsoft notes that the attacker cannot make changes to disclosed information or limit access to the resource.
That sounds limited. But the real danger lies in what the Windows Shell spoofing vulnerability exploited actually steals: NTLM hashes.
The Incomplete Patch Story
To understand CVE-2026-32202, you need to understand what came before.
In February 2026, Microsoft patched CVE-2026-21510, a protection mechanism failure in Windows Shell with a CVSS score of 8.8. That vulnerability allowed an attacker to bypass a security feature over a network. Russian state-sponsored group APT28 (also known as Fancy Bear, Forest Blizzard, and GruesomeLarch) was actively exploiting it alongside another vulnerability, CVE-2026-21513 in the MSHTML Framework.
The February campaign targeted Ukraine and European Union nations in December 2025. Attackers used a malicious Windows Shortcut (LNK) file to exploit both vulnerabilities. The LNK file bypassed Microsoft Defender SmartScreen and enabled attacker-controlled code to execute.
Akamai security researcher Maor Dahan, who discovered and reported both CVE-2026-21510 and CVE-2026-32202, explained how the attack worked. APT28 leveraged the Windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a remote server using a UNC path. The DLL loaded as part of Control Panel (CPL) objects without proper network zone validation.
Microsoft's February patch stopped the remote code execution risk. It triggered a SmartScreen check of the CPL file's digital signature and origin zone. Problem solved? Not quite.
The Remaining Flaw: Zero-Click Credential Theft
The Windows Shell spoofing vulnerability exploited today (CVE-2026-32202) is what remained after Microsoft's February patch.
Here is what still happened after the patch: When Windows resolved a UNC path like \\attacker.com\share\payload.cpl, it initiated an SMB connection to the attacker's server. That SMB connection triggered an automatic NTLM authentication handshake. The victim's Net-NTLMv2 hash was sent to the attacker.
No user interaction required. The Windows Shell spoofing vulnerability exploited by APT28 allows zero-click credential theft.
Dahan described it clearly: "While Microsoft fixed the initial RCE (CVE-2026-21510), an authentication coercion flaw (CVE-2026-32202) remained. This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files."
An attacker who captures a victim's Net-NTLMv2 hash can then use it for NTLM relay attacks or offline cracking. If the hash is cracked, the attacker gains the victim's plaintext password.
Microsoft's Revised Advisory
On April 14, 2026, Microsoft initially published its Patch Tuesday update addressing CVE-2026-32202. The company incorrectly marked the exploitability index, exploited flag, and CVSS vector.
On April 27, Microsoft rectified those errors. The company now officially acknowledges that the Windows Shell spoofing vulnerability exploited in the wild is under active attack.
Microsoft did not share specific details about the exploitation activity. However, Akamai's research clearly attributes the attacks to APT28, the same Russian state-sponsored group behind the original February campaign.
Who Is Affected?
The Windows Shell spoofing vulnerability exploited by APT28 affects Windows systems that process UNC paths from untrusted sources. The attack works through malicious LNK files delivered via email, downloads, or removable drives.
The vulnerability requires the victim to execute the malicious file. However, the credential theft itself is zero-click once the file is opened or even previewed in some configurations. Windows initiates the SMB connection automatically when resolving the UNC path.
Organizations in Ukraine and European Union nations were targeted in December 2025. But the Windows Shell spoofing vulnerability exploited by APT28 could affect any Windows user who opens a malicious LNK file.
How APT28 Used the Flaw
The attack chain is disturbingly simple.
Step 1: The Victim opens a fake windows shortcut (LNK) which looks real like a normal document or installer.
Step 2: When the victim opens the LNK file, Windows resolves the UNC path inside it. The path points to an attacker-controlled server: \\attacker.com\share\payload.cpl.
Step 3: Windows automatically connects over SMB (server message block) with the attackers resources because of the windows shell spoofing vulnerability due to a vulnerability that has been exploited by APT28 without any checks against security or warnings to the user.
Step 4: The handshake that takes place during the connection between the victim's system and the attacker's resources contains the NetNTLMv2 hash from the victim's account, which the attacker captures.
Step 5: The attacker may crack the captured hash offline or may perform an NTLM relay attack to authenticate to network resources as being from the victim.
The windows shell spoofing vulnerability exploited by APT28 does not require the victims to enter credentials or be warned about the security of the connection. The hash is sent automatically upon the successful connection.
How to Protect Yourself
Even though Microsoft patched CVE-2026-32202 in April 2026, not all systems have applied the update.
Here is what you need to do.
1. Apply the April 2026 Patch Tuesday update immediately. This is the only complete fix for the Windows Shell spoofing vulnerability exploited by APT28. If your systems are not patched, they remain vulnerable.
2. Block SMB outbound to the internet. The attack relies on Windows initiating SMB connections to attacker-controlled servers. Blocking outbound SMB (ports 139 and 445) at your network perimeter stops the NTLM hash from leaving your environment.
3. Disable NTLM where possible. The Windows Shell spoofing vulnerability exploited by APT28 captures NTLM hashes because Windows falls back to NTLM authentication. If you can use Kerberos only, do so.
4. Audit LNK file usage. Monitor for LNK files with UNC paths pointing to external servers. These are highly suspicious.
5. Use modern security tools. The Windows Shell spoofing vulnerability exploited by APT28 bypassed older SmartScreen protections. Ensure your endpoint detection and response (EDR) tools are up to date.
Final Thoughts
The Windows Shell spoofing vulnerability exploited by APT28 is a textbook example of how incomplete patches create new vulnerabilities.
Microsoft fixed the remote code execution path in February. But the company did not close the authentication coercion path. That gap remained open for months and attackers found it.
The Windows Shell spoofing vulnerability exploited today is not a complex exploit. It does not require memory corruption or sophisticated shellcode. It simply abuses how Windows has always handled UNC paths. The fix was simple: validate the origin before initiating authentication. But that fix took an additional Patch Tuesday cycle.
For defenders, the lesson is clear: apply patches promptly. But also assume that every patch might be incomplete. Monitor for unusual SMB connections. And treat every LNK file from an untrusted source as a potential weapon.
APT28 certainly does.
FAQ Section
Q1: Is it possible for APT28 to exploit the Windows shell by spoof (using a zero-click attack) ?
Ans Yes and No. The victim has to first open or execute the 'bad' LNK file. After the victim opens the file, the NTLM hash captures automatically occur (without any additional user interaction). According to Microsoft, and for purposes of defining zero-click credential theft vectors, the exploit is considered 'zero-click' (credential theft vector) once the victim opens the file.
Q2: How do I find out if I was the victim of CVE-2026-32202?
List of outbound SMB (ports 139 or 445) connections in your network logs that go to non-usual external IP addresses; and look for any LNK files that have a UNC reference to a non-corporate domain; these are evidence of the existence of the Windows shell spoof vulnerability exploited by APT28.
Q3: Is the fix for CVE-2026-32202 addressed in the April 2026 patches fully effective?
Yes. The April 2026 Patch Tuesday update from Microsoft closes the authentication coercion flaw. All areas which contain the vulnerability must be patched. Vulnerabilities will continue to exist for all areas that are not patched, because there is still no available patch from Microsoft to close the Windows shell spoof vulnerability.
Q4: What were the reasons for the incorrect exploitability classification originally?
On April 27, 2026, Microsoft updated its advisory with the correct exploitability index, exploited flag and CVSS vector. Microsoft has not provided a public explanation for the original error; however, they now acknowledge that there are ongoing exploits using the Windows Shell spoofing exploit.
Q5: Is it possible to exploit this exploit using the email previewer?
In certain instances, viewing an email with a malicious LNK file or accessing a network share where it is located may activate the UNC Path Resolver on the system. As a implementation of defense in depth, Microsoft suggests blocking all outbound SMB to the internet regardless of whether the respective patch was applied.