Emerging ThreatsMalware & Ransomware

Microsoft Confirms Active Exploitation of Windows Shell Flaw

Analyst 207||Source: TheHackerNews
Windows desktop with file explorer open, showing a malicious file, connected to a network, in a blurred office background.

"Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network," Microsoft said in an alert, a statement the company updated on April 27 to acknowledge active exploitation.

Microsoft revises advisory on CVE-2026-32202

Microsoft has revised its advisory for CVE-2026-32202, a high-severity Windows Shell spoofing vulnerability (CVSS 4.3) that the company says has been "actively exploited in the wild." The bug was patched as part of Microsoft's Patch Tuesday update for April 2026. In its alert, Microsoft described the flaw succinctly: "An attacker would have to send the victim a malicious file that the victim would have to execute." The company also said it corrected the "Exploitability Index, Exploited flag, and CVSS vector" after the values published on April 14 were incorrect.

Akamai researcher Maor Dahan traces the issue to an incomplete February fix

Akamai security researcher Maor Dahan, credited with discovering and reporting the bug, said the now-exploited vulnerability stems from an incomplete patch for CVE-2026-21510. Dahan linked CVE-2026-32202 to the earlier February 2026 fixes and the longer exploit chain used by a Russian nation-state group tracked as APT28 (aka Fancy Bear, Forest Blizzard, GruesomeLarch, and Pawn Storm).

  • CVE-2026-21510 (CVSS 8.8) — "A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network." Fixed by Microsoft in February 2026.
  • CVE-2026-21513 (CVSS 8.8) — "A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network." Also fixed by Microsoft in February 2026.

Akamai noted that abuse of CVE-2026-21513 was flagged by the company early in March, after unearthing a malicious artifact in January 2026. According to Akamai, the campaign that leveraged the chain targeted Ukraine and E.U. nations in December 2025.

The attack technique: malicious LNK files, UNC paths, SMB and Net-NTLMv2

Akamai's analysis lays out a specific technical path from a malicious Windows Shortcut (LNK) to credential theft. The December campaign used LNK files "to exploit the two vulnerabilities, effectively bypassing Microsoft Defender SmartScreen and enabling attacker-controlled code to be executed," Akamai reported. Dahan described the mechanism in technical terms: "APT28 leverages the Windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a remote server using a UNC path. The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation."

Akamai said the February 2026 patch reduced the remote code execution risk by triggering a SmartScreen check of the CPL file's digital signature and origin zone, but it did not stop the victim machine from authenticating to an attacker's server when a UNC path was resolved. As Dahan put it: "When that path is a UNC path (like '\\attacker.com\share\payload.cpl'), Windows initiates an SMB connection to the attacker's server. This server message block (SMB) connection triggers an automatic NTLM authentication handshake, sending the victim's Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking."

In Akamai's framing, the February fix closed the initial remote code execution vector (CVE-2026-21510) but left an "authentication coercion flaw (CVE-2026-32202)" that allowed credential theft through auto-parsed LNK files.

What this means for technologists, enterprise procurement leaders, and end users

  • Technologists and security teams: will need to account for an authentication-coercion vector tied to UNC path resolution and SMB authentication, and to correlate indicators such as unexpected SMB connections following LNK parsing and attempts to access CPL payloads from remote UNC shares.
  • Affected enterprises and procurement leaders: will weigh the implications of automatic NTLM handshakes to remote SMB hosts and the downstream risks of Net-NTLMv2 hashes being captured for relay or offline cracking, particularly in environments with exposed SMB access or legacy authentication enabled.
  • End users and desktop operators: should be aware that the chain observed used a malicious Windows Shortcut (LNK) that could bypass SmartScreen checks under certain conditions, and that Microsoft labeled the vector as requiring a malicious file delivered to and executed by the victim.

Microsoft did not provide operational details of the exploitation activity in its advisory. Akamai's public explanation fills technical gaps by linking the observed campaign to APT28 and by describing how incomplete trust verification during path resolution allowed a zero-click credential-theft vector to remain after the February fixes.

The record as presented leaves a compact, consequential arc: a February patch mitigated a high-severity remote code execution, an authentication coercion gap persisted and was later tracked by Microsoft as an actively exploited flaw (CVE-2026-32202), and security researchers tied the behavior to a known advanced actor using LNK-to-UNC-to-SMB techniques. Whether Microsoft will publish additional details about the exploitation activity, and whether defenders will see indicators tied to specific attacker infrastructure, are concrete next steps the public record does not yet show.

https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html

Emerging ThreatsExploitMicrosoftPatch TuesdayVulnerability ManagementZero-DayWindows ShellCVE-2026-32202Spoofing
Related Intelligence

Continue Reading

Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207
Rows of network equipment and devices on racks in a dimly lit, empty server room.

Credential Attacks Target Fortinet, Sophos, MSSQL Devices in Large-Scale Campaign

A large-scale password spraying and credential theft campaign, dubbed "FortiBleed," is targeting Fortinet devices, with attempts also seen against MSSQL services and Sophos devices, warns Unit 42. This coordinated attack has sparked concerns over widespread credential attacks.

Analyst 207