A critical zero-click authentication coercion vulnerability, tracked as CVE-2026-32202, has been confirmed as actively exploited in the wild. The flaw stems from an incomplete patch for a Windows Shell security feature bypass and has been weaponized by the Russian state-sponsored threat actor APT28 (also known as Fancy Bear, Forest Blizzard, and Pawn Storm) in targeted attacks against Ukraine and several European Union countries.
Microsoft confirmed the active exploitation and released a fix as part of its April 2026 Patch Tuesday update. Security researchers and defenders are urged to apply the patch immediately, as unpatched systems face a high risk of credential theft and lateral movement without any user interaction.
How the Attack Works
The attack chain was first observed by CERT-UA in December 2025 and later analyzed in detail by Akamai researchers in January 2026. The infection vector chains two vulnerabilities: CVE-2026-21513 (an MSHTML exploit) and CVE-2026-21510 (a Windows Shell SmartScreen bypass).
The attack’s primary mechanism abuses the Windows Shell namespace parsing pipeline. APT28 embedded a malicious LinkTargetIDList structure inside a specially crafted LNK file — a binary IDList that Windows Explorer processes automatically when a user navigates to a compromised folder. The IDList contained three key components:
- A CLSID representing the Control Panel COM object
- A second entry for “all control panel items”
- A third _IDCONTROLW structure embedding a UNC path pointing to an attacker-controlled server
This caused Windows to load a DLL from the attacker-controlled server, treated as a Control Panel (CPL) component, without triggering SmartScreen or Mark of the Web (MotW) verification. The technique allowed arbitrary code execution with no user interaction beyond simply opening the compromised folder.
Why the February Patch Was Insufficient
Microsoft addressed CVE-2026-21510 during its February 2026 Patch Tuesday, introducing a new COM object called ControlPanelLinkSite that bridges the CPL launch path with ShellExecute’s trust verification. However, Akamai researchers discovered a critical gap: the trust verification introduced by Microsoft fires during the ShellExecuteExW call at the very end of the CPL launch chain.
A far earlier trigger exists in CControlPanelFolder::GetUIObjectOf — this function resolves UNC paths before the trust check can fire. When the UNC path resolves (e.g., \attacker.com\share\payload.cpl), Windows automatically triggers an NTLM authentication handshake, transmitting the victim’s Net-NTLMv2 hash to the attacker’s server. This credential can subsequently be used for NTLM relay attacks or offline password cracking — all without any user interaction beyond navigating to the compromised folder.
Scope of the Campaign
CERT-UA linked the campaign to APT28, attributing the intrusions to targeted attacks against government and military entities in Ukraine and the EU. The attackers demonstrated a sophisticated understanding of Microsoft’s patch diffing process, exploiting the gap between path resolution and trust verification before researchers publicly disclosed it. The secondary exploitation path was assigned its own CVE — CVE-2026-32202 — and was included in Microsoft’s April 2026 Patch Tuesday release.
Mitigation Steps
Given that Microsoft has flagged CVE-2026-32202 as actively exploited in the wild, defenders should treat unpatched systems as high-priority exposure. Recommended actions include:
- Apply the April 2026 Patch Tuesday update immediately across all Windows endpoints and servers
- Monitor network traffic for outbound NTLM authentication to external or unexpected hosts
- Block outbound SMB traffic (TCP 445) to untrusted external IP ranges at the perimeter firewall
- Enable Extended Protection for Authentication (EPA) to mitigate NTLM relay attack risk
- Audit for LNK files received via email or downloaded from the internet, particularly those referencing UNC paths
This incident underscores a persistent challenge in vulnerability patching: incomplete fixes can introduce secondary attack surfaces. The gap between path resolution and trust verification in the Windows Shell pipeline, first exploited by APT28 and later uncovered by Akamai, highlights the necessity of thorough patch diffing and post-deployment verification by both vendors and defenders.