Skip to main content
Emerging Threats

Microsoft Patch Fails to Quell Russian Spy Exploitation of Windows Flaw

Patch cable connected to network switch in dimly lit server room with Windows desktop in background.

"An attacker who successfully exploited the vulnerability could view some sensitive information," Redmond warned when it disclosed the CVE on April 14.

Microsoft's advisory, CISA action, and the remediation clock

Microsoft disclosed CVE-2026-32202 on April 14 and described it as an authentication coercion vulnerability in Windows Shell that can expose sensitive information via network spoofing. On Monday the company marked the bug as "exploitation detected." The following day the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-32202 to its Known Exploited Vulnerabilities catalog and set a May 12 deadline for federal agencies to apply fixes.

How the new flaw traces back to an incomplete February patch

Microsoft's recent work to close a different exploited hole appears to have left behind this new vector. Akamai senior security researcher Maor Dahan credited Microsoft’s February patch effort for blocking the original remote code execution (RCE) and SmartScreen bypass associated with CVE-2026-21510, but reported that the fix was incomplete. While testing the February patches, Dahan and his colleagues found CVE-2026-32202, which he says resulted from the incomplete remediation of CVE-2026-21510.

Technical mechanics: authentication coercion, Net-NTLMv2, and LNK files

Dahan described CVE-2026-32202 as an authentication coercion flaw in Windows Shell. According to his write-up, the bug can be abused to send a victim machine’s Net-NTLMv2 hash to an attacker's server. That authentication data, Dahan wrote, can allow a digital intruder to authenticate as the user, steal sensitive data, and snoop on the victim’s network. He explained: "While testing the patch, we noticed something interesting: The victim machine was still authenticating to the attacker's server." Dahan added that "This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files."

What Akamai, Ukraine CERT, and Microsoft recorded about the earlier attacks

Akamai reported that CVE-2026-21510 had been actively exploited in January. Citing Ukraine's Computer Emergency Response Team, Akamai said that the threat actor APT28 (also known as Fancy Bear) exploited CVE-2026-21510 in attacks against Ukraine and European Union countries. Those attacks began with a phishing email purporting to be from Ukraine's hydro-meteorological center and containing a weaponized LNK file to exploit CVE-2026-21513. By chaining CVE-2026-21513 with CVE-2026-21510, the operators bypassed Microsoft security features including Defender SmartScreen and achieved remote code execution on victims' computers. Microsoft fixed both CVE-2026-21510 and CVE-2026-21513 on February's Patch Tuesday.

What this means for security teams, federal agencies, and enterprises

  • Security teams and technologists: The vulnerability is zero-click and abuses automatic parsing of LNK files to coerce authentication. Teams will need to verify the February patches and apply any subsequent updates that address CVE-2026-32202 to prevent credential theft by network spoofing.
  • Federal agencies and policymakers: CISA has mandated remediation by May 12 through its Known Exploited Vulnerabilities catalog entry for CVE-2026-32202, creating a near-term compliance deadline.
  • Affected enterprises and incident responders: Akamai's findings about chained exploitation and the historical use of a phishing lure tied to Ukraine's hydro-meteorological center reinforce the role of layered mitigations and monitoring for anomalous authentication traffic such as outbound Net-NTLMv2 authentications to unexpected hosts.

The immediate facts are narrow but sharp: Microsoft disclosed CVE-2026-32202 on April 14, Akamai's Maor Dahan found it while testing February patches, and CISA has set a May 12 deadline for federal remediation. The Register reached out to Microsoft about the scope of exploitation, attribution, and what attackers are doing with illicit access and said it will update the story if Microsoft responds. For now, the disclosure underlines how a partial fix can leave a distinct, destructive capability — in this case, a zero-click credential-theft vector — still available to actors already observed exploiting related issues.

Original story