ThreatLevelBeta
Planned Fix

CVE-2026-32202

Authentication Bypass in Microsoft Windows Shell
Loading...

Summary

Microsoft Windows Shell's handling of crafted .LNK shell-namespace objects can be abused so Explorer resolves an attacker-controlled UNC path before trust verification runs. When a victim browses a folder containing the malicious shortcut, Windows opens an outbound SMB session and sends NTLM credentials to the attacker without a click. Akamai says the bug came from an incomplete patch related to CVE-2026-21510, and CISA later listed CVE-2026-32202 in KEV after active exploitation was confirmed.

Why Planned Fix?

4/6
No authentication required
Internal deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
Authentication Bypass
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
sploitus.com
Impact

Cause a victim Windows system to authenticate to an attacker-controlled SMB server and leak Net-NTLMv2 credentials.

Data Disclosure
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker crafts a malicious .LNK file whose LinkTargetIDList embeds a Control Panel-style shell object with a UNC path to an attacker-controlled server. The shortcut is delivered to the target or placed in a folder the victim will browse, and Windows Explorer parses it while rendering directory contents. During icon and resource resolution, shell32 resolves the UNC path before trust checks run, causing Windows to initiate SMB traffic and automatically perform NTLM authentication to the attacker.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Windows ShellWindows Server 2012 and 2012 R2; Windows 10 1607/1809/21H2/22H2 (pre-build 10.0.14393.9060/10.0.17763.8644/10.0.19044.7184/10.0.19045.7184); Windows 11 23H2/24H2/25H2/26H1 (pre-build 10.0.22631.6936/10.0.26100.8246/10.0.26200.8246/10.0.28000.1836)
Description

Microsoft Windows Shell is the desktop shell and file-navigation component that renders folders, shortcuts, Control Panel items, and other shell objects, and launches their associated handlers.

Deployment:Typically internal
|
Protocol:SMB
|
Ports:445
Affected ComponentShell namespace parsing and icon extraction for malicious .LNK files that reference Control Panel CPL objects over UNC paths.

Shell namespace parsing and icon extraction for malicious .LNK files that reference Control Panel CPL objects over UNC paths.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Install Microsoft’s April 14, 2026 security update for the affected Windows releases; Microsoft later revised the advisory to reflect active exploitation.

Install Microsoft’s April 14, 2026 security update for the affected Windows releases; Microsoft later revised the advisory to reflect active exploitation.

msrc.microsoft.com
Threat Intelligence
EPSS Score7.2%

Probability of exploitation in the next 30 days

EPSS Percentile92%

Worse than 92% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
akamai.com
Threat Actors1
APT28 (Fancy Bear, Forest Blizzard)

Russian GRU-linked espionage group targeting Ukraine and EU organizations

Detection Rules1
Other
HTTP:STC:CVE-2026-32202-EOP

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.

CVSS Base Score

4.3
Medium

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-693 Protection Mechanism Failure
|
NVD:CVE-2026-32202
|
Version From:
|
Version Upto:10.0.14393.9060, 10.0.14393.9060, 10.0.17763.8644, 10.0.17763.8644, 10.0.19044.7184, 10.0.19044.7184, 10.0.19044.7184, 10.0.19045.7184, 10.0.19045.7184, 10.0.19045.7184, 10.0.22631.6936, 10.0.22631.6936, 10.0.26100.8246, 10.0.26100.8246, 10.0.26200.8246, 10.0.26200.8246, 10.0.28000.1836, 10.0.28000.1836, 10.0.14393.9060, 10.0.17763.8644, 10.0.20348.5020, 10.0.25398.2274, 10.0.26100.32690

Affected Software (CPE) (25)

  • cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_26h1:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*

Sources

6
SourceArticle
msrc.microsoft.comSecurity Update Guide - CVE-2026-32202
nvd.nist.govCVE-2026-32202 Detail
akamai.comA Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202
cisa.govKnown Exploited Vulnerabilities Catalog
tenable.comCVE-2026-32202
juniper.netHTTP: Microsoft Windows CVE-2026-32202 Shell Spoofing

Priority History

Planned FixLoading...

Initial analysis