Skip to main content
  1. Active Vulnerability List/
  2. 2026/

CVE-2026-32202 | Windows | Protection Mechanism Failure

FieldDetails
VulnerabilityCVE-2026-32202
Affected ProductMicrosoft Windows Shell (the Windows Explorer / shell namespace component responsible for rendering folders and shortcut icons). Per NVD’s CPE configuration, the vulnerable surface spans Windows Server 2012 / 2012 R2, Windows 10 (1607, 1809, 21H2, 22H2), and Windows 11 (23H2, 24H2, 25H2, 26H1) across x86, x64, and ARM64 builds. Specific patched builds include Windows 10 22H2 up to (excluding) 10.0.19045.7184, Windows 11 24H2 up to (excluding) 10.0.26100.8246, and Windows 11 25H2 up to (excluding) 10.0.26200.8246.
TypeProtection Mechanism Failure in Windows Shell leading to forced NTLM authentication / NTLMv2 hash coercion via auto-rendered LNK shortcuts. CISA’s KEV name: “Microsoft Windows Protection Mechanism Failure Vulnerability”.
CWECWE-693: Protection Mechanism Failure, as assigned by Microsoft Corporation (CNA) and recorded in NVD.
DescriptionPer Microsoft’s advisory verbatim: “Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.” Per the Akamai analysis cited by The Hacker News, Help Net Security, and SC Media, this CVE is an incomplete-patch follow-on to CVE-2026-21510 — a zero-day previously exploited by APT28 (Fancy Bear) in attacks against Ukraine and EU countries since December 2025. Microsoft’s February 2026 fix for CVE-2026-21510 closed the SmartScreen bypass and remote code execution path but did not prevent Windows Shell from initiating an SMB connection to an attacker-controlled server when Windows Explorer renders the folder containing a malicious LNK file (Windows Explorer attempts to fetch the icon for the shortcut, triggering an outbound SMB request). That automatic SMB connection causes an NTLM authentication handshake with the attacker’s server, leaking the victim’s NTLMv2 hash without the user opening or executing the LNK.
SeverityCVSS v3.1: 4.3 MEDIUM (CNA: Microsoft Corporation), vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N as recorded in NVD. CVSS v4.0: NVD assessment not yet provided at time of writing. The 4.3 medium score materially understates real-world risk: per Notebookcheck and Akamai analysis, the stolen NTLMv2 hash can be used in NTLM relay attacks to authenticate as the compromised user against other systems on the same network, or cracked offline to recover the plaintext password.
Root CauseIncomplete remediation of CVE-2026-21510. Per Akamai’s analysis (as quoted by The Hacker News): “While Microsoft fixed the initial RCE (CVE-2026-21510), an authentication coercion flaw (CVE-2026-32202) remained. This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files.” The Windows Shell icon-resolution code path follows the target reference inside a .lnk file when Explorer needs to display its icon — including when the target is a UNC path (\\attacker-server\share\file) — without verifying trust on the resulting outbound connection. The February 2026 patch addressed the SmartScreen-bypass RCE primitive but did not gate the icon-fetch SMB call behind the same trust check. Microsoft has not publicly named the specific Windows Shell function or icon-resolution path involved.
Attack VectorNetwork (AV:N) per the CVSS vector. The attack reaches the victim’s host over the network — the malicious LNK arrives via email attachment, web download, removable media, or SMB share, and the exploitation primitive itself (SMB outbound) is network-borne. The crucial property is that the SMB connection is initiated automatically by Windows Explorer, not by user double-click or execution.
Privileges RequiredNone (PR:N). The attacker requires no credentials or prior foothold on the victim’s host.
User InteractionRequired (UI:R) per the published CVSS vector. The interaction required is unusually light: per Akamai, the user only needs to open the folder containing the malicious LNK in Windows Explorer (e.g., browse to the Downloads folder after the LNK has been delivered). They do not need to double-click, execute, or even click on the shortcut. Microsoft’s own advisory phrasing — “An attacker would have to send the victim a malicious file that the victim would have to execute” — is inconsistent with the Akamai-disclosed exploitation mechanic, which describes a zero-click trigger upon folder rendering. Defenders should treat this as effectively browse-to-fire, not click-to-fire.
ImpactConfidentiality: Low per CVSS (C:L, I:N, A:N) — but the operational impact is credential leak of the user’s NTLMv2 challenge-response, which is leveraged in two subsequent attacks: (1) NTLM relay to other internal services accepting NTLM (file servers, ADCS HTTP enrollment, LDAP, Exchange), authenticating as the victim user; and (2) offline password cracking to recover the plaintext password for direct credential reuse. Per Microsoft’s own advisory: “An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker.” The CVSS scope (S:U) does not capture the lateral-movement amplification that NTLM relay enables.
Why the Bug MattersThis is the operational follow-on to an APT28 zero-day chain. CVE-2026-21510 (now patched) and CVE-2026-21513 were used by APT28 (Fancy Bear / Russian state-aligned) in active campaigns against Ukraine and EU countries since December 2025. The April 2026 incomplete-patch disclosure means the same threat-actor playbook continued to work against patched systems for the window between the February fix and the April 14 follow-on patch — and continues to work against any system that has not applied the April patch. Microsoft initially published the April 14 patch without marking the CVE as exploited, then quietly updated the advisory on April 27 to correct the Exploitability Index, Exploited flag, and CVSS vector — meaning defenders who triaged the April patch as routine on the day of release got the wrong signal. The exploitation is zero-click in practical effect (folder browse triggers the SMB), making it ideal for phishing-delivered LNK staged in email or web download paths, with the credential coercion firing on routine user inbox/Downloads navigation.
Execution Flow1. Attacker delivers a malicious LNK shortcut file to the victim — via phishing email attachment, drive-by download, removable media, or seeded SMB share. The LNK is crafted with a target / icon path referencing a UNC path on an attacker-controlled SMB server (\\attacker.example.com\share\icon.ico or equivalent). 2. The LNK lands in any folder accessible to the user (Downloads, Desktop, mounted share, email attachment cache). 3. Victim opens the folder containing the LNK in Windows Explorer — no double-click on the LNK itself is required. 4. Windows Shell’s icon-resolution path for the LNK automatically initiates an outbound SMB connection to the attacker’s server to fetch the icon. 5. The SMB connection performs NTLM authentication by default, leaking the victim’s NTLMv2 challenge-response hash to the attacker. 6. Attacker relays the NTLMv2 hash to internal services accepting NTLM (SMB file servers, AD CS HTTP enrollment, LDAP, Exchange) or cracks the hash offline to recover the plaintext password.
Threat Model / Abuse Scenarios- APT28 / nation-state continuation — same threat actor that exploited CVE-2026-21510 in 2025; the public Akamai write-up and incomplete-patch nature increase the population of capable actors
- Phishing-delivered LNK in business email — operationally simple to weaponize, and the trigger condition (folder rendering) lines up with how victims handle attachments
- Seeded shares on compromised internal SMB servers — once an attacker has a foothold, salting accessible shares with LNK files harvests NTLMv2 from every user who browses the share
- Removable media drops — USB-delivered LNK fires on Explorer auto-open of the mounted drive contents
- Combined chain with relay-friendly internal services — credentialed NTLM relay to AD CS web enrollment for certificate-based persistence (ESC8 pattern), or to internal SMB for lateral movement
Detection Opportunities- Endpoint firewall / Windows Defender Firewall outbound SMB: monitor and alert on outbound TCP/445 connections from workstation IPs to non-corporate IP space — under most enterprise designs, workstations should never initiate SMB outbound to the public internet
- EDR / Sysmon Event ID 3 (Network Connect) for explorer.exe as the source process for outbound TCP/445 connections
- Sysmon Event ID 1 (Process Create) is less useful here because no new process is spawned — the SMB call is by Explorer itself
- Authentication logs on internal targets: hunt for NTLM authentication attempts from internal hosts to internal services using account names that don’t normally authenticate to those services — classic NTLM relay artifact
- AD CS HTTP enrollment logs: certificate issuance to user accounts shortly after they “opened a folder containing a LNK” — pair this with the ESC8 detection patterns
- Sysmon Event ID 11 (FileCreate) for .lnk files written to user-writable directories by browser, email client, or unzip operations
- Inferred from bug mechanics: network sensor monitoring for SMB negotiate / session setup traffic from workstations to external IP addresses is the highest-confidence single signal
High-Value Detection Clues- explorer.exe initiating outbound TCP/445 connections to internet IPs — for nearly all enterprise environments, this is anomalous on its face
- LNK files in Downloads, email attachment caches, or Desktop with icon paths or target paths containing UNC references (\\<host>\<share>\<file>) to non-corporate hosts
- NTLM authentication events on internal hosts originating from unexpected source IPs with user accounts of users who recently received emails or visited compromised sites
- AD CS certificate issuances to user accounts in close temporal proximity to suspicious LNK delivery
- Inferred from bug mechanics: proxy / firewall logs showing DNS queries for unusual external hostnames followed immediately by TCP/445 connection attempts from the same workstation
Example Hunt Ideas- In Sysmon data fleet-wide: EventID:3 AND ProcessName:"explorer.exe" AND DestinationPort:445 AND NOT DestinationHostname:<internal-domain-pattern>
- In firewall egress logs: hunt for TCP/445 outbound from any workstation IP range to public IP space — flag every hit for investigation
- In email gateway logs: search for inbound emails with .lnk attachments or .zip archives containing .lnk files
- In Sysmon Event ID 11 (FileCreate): hunt for .lnk files dropped into Downloads, AppData\Local\Microsoft\Windows\INetCache\, or Desktop by non-Microsoft processes (browsers, mail clients, archivers) — extract the file with EDR and inspect the target/icon paths for UNC strings
- In Windows Security event logs on file servers and DCs: hunt for Event ID 4624 with LogonType=3 (Network) and Authentication Package=NTLM from unusual source IPs against accounts of users who may have triggered the coercion
- Inferred: correlate AD CS HTTP enrollment events with NTLM relay indicators on the same time window
MitigationApply Microsoft’s April 14, 2026 Patch Tuesday update for the affected Windows version. Patched builds per NVD’s CPE configuration include (selection): Windows 10 22H2 ≥ 10.0.19045.7184, Windows 11 23H2 ≥ 10.0.22631.6936, Windows 11 24H2 ≥ 10.0.26100.8246, Windows 11 25H2 ≥ 10.0.26200.8246, Windows Server 2012 / 2012 R2 via the corresponding April 2026 cumulative update. Additional defense-in-depth per Help Net Security: block outbound SMB (TCP/445) traffic at the network perimeter — under modern enterprise design there is no legitimate reason for workstation SMB to traverse the corporate edge. This mitigates the entire NTLM-coercion class of attack, not just CVE-2026-32202. Where outbound SMB cannot be fully blocked, enforce SMB signing and disable NTLM on internal services that can require Kerberos-only authentication. Enable Extended Protection for Authentication (EPA) on services that accept NTLM to prevent relay where possible. Hunt the fleet for unpatched hosts — Microsoft’s initial advisory did not flag the CVE as exploited, so many environments may have deferred this patch as routine.
Solution StatusPatched. Microsoft released the fix as part of the April 14, 2026 Patch Tuesday cumulative update for affected Windows versions. Microsoft initially marked the CVE as not exploited at publication, then on April 27, 2026 updated the advisory to correctly mark the Exploitability Index, Exploited flag, and CVSS vector as actively exploited. CISA added the CVE to KEV on April 28, 2026 with a federal patch deadline of May 12, 2026. The vulnerability was researched and the residual exploitation primitive publicly described by Akamai researcher Ben Dahan.
MITRE ATT&CK MappingATT&CK mapping not publicly established by Microsoft or CISA at time of writing. Inferred from bug mechanics: T1187 Forced Authentication is the direct fit — the LNK forces the victim host into an SMB authentication handshake with an attacker-controlled server. Follow-on techniques in the typical exploitation chain: T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (for the credential relay phase, when applicable), T1110.001 Brute Force: Password Cracking (for offline NTLMv2 hash cracking), T1078 Valid Accounts (use of recovered credentials), and T1550.002 Use Alternate Authentication Material: Pass the Hash (if the recovered material supports it). Adversary attribution per Akamai and SC Media: this CVE class is associated with APT28 (Fancy Bear) in the context of the related CVE-2026-21510 and CVE-2026-21513 chain.
Limitations / Constraints- Not a remote code execution. The CVE alone yields NTLMv2 hash disclosure, not direct code execution. The damage is realized through subsequent relay or cracking.
- Microsoft’s “must execute” language understates the trigger. Per Akamai, browsing the folder is sufficient; double-click is not required.
- The CVSS 4.3 score is misleading for defenders triaging by score alone — treat as Critical-tier given KEV listing and APT28 exposure history.
- No public PoC is widely circulated at time of writing, but the Akamai disclosure provides enough detail for any moderately capable actor to reconstruct the primitive.
- NTLM relay defenses (SMB signing, EPA, Kerberos-only) reduce post-coercion impact but do not prevent the hash disclosure itself.
- Microsoft’s exploited flag was wrong on initial publication — defenders cannot rely on vendor exploited-flag accuracy as a sole prioritization signal.
References- https://nvd.nist.gov/vuln/detail/CVE-2026-32202
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-32202
- https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog
- https://thehackernews.com/2026/04/cisa-adds-actively-exploited.html
- https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html
- https://www.helpnetsecurity.com/2026/04/29/windows-cve-2026-32202-exploited/
- https://www.scworld.com/news/cisa-adds-connectwise-microsoft-flaws-to-kev-catalog
- https://www.cybersecuritydive.com/news/cisa-microsoft-connectwise-kev-update/818817/
- https://www.notebookcheck.net/Windows-zero-day-CVE-2026-32202-confirmed-as-exploited.1285559.0.html
- https://securityonline.info/cisa-kev-catalog-kimsuky-apt28-exploitation-cve-2024-1708-cve-2026-32202/