Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

Microsoft’s latest advisory confirms that CVE‑2026‑32202, a spoofing flaw in Windows Shell, has been actively exploited in the wild. The vulnerability, assigned a CVSS 4.3 rating, allows an attacker to deliver a malicious shortcut (LNK) file that, when parsed, can harvest a victim’s Net‑NTLMv2 hash without any user interaction. Microsoft updated the Exploitability Index and CVSS vector on April 27 after initially misclassifying the risk, underscoring the rapid evolution of threat intelligence around Windows components. The patch released in the May Patch Tuesday addresses the spoofing vector, but the incident highlights how quickly nation‑state actors can weaponize even low‑severity bugs.

The CVE‑2026‑32202 flaw is the latest link in an exploit chain that includes CVE‑2026‑21510 and CVE‑2026‑21513, both scored 8.8 and previously fixed in February 2026. Russian‑linked group APT28 leveraged these vulnerabilities to target Ukrainian and EU entities in late 2025, using a crafted LNK file that bypasses Microsoft Defender SmartScreen and forces Windows to resolve a UNC path to a remote CPL payload. The automatic SMB connection leaks the victim’s authentication hash, enabling NTLM relay attacks or offline cracking. Akamai’s analysis shows that while the February patch stopped remote code execution, it left the authentication coercion vector open, creating a zero‑click credential‑theft pathway.

For enterprises, the episode serves as a reminder that patching alone may not eliminate all attack surfaces. Organizations should consider disabling UNC path resolution for LNK files, enforcing SMB signing, and monitoring for anomalous NTLM authentication traffic. Deploying multi‑factor authentication and privileged access management can further mitigate the impact of stolen hashes. Microsoft’s acknowledgment of active exploitation also pressures the vendor to tighten validation checks in future releases, potentially revisiting the Windows Shell namespace parsing logic. In the meantime, security teams must treat CVE‑2026‑32202 as a high‑priority indicator of compromise and hunt for related artifacts across their environments.