A recent flaw in a Windows security patch has resulted in a new vulnerability that could lead to zero-click attacks, according to a report by Akamai. The issue stems from an incomplete fix for a previously identified vulnerability, allowing attackers to exploit systems without user interaction.
Background on the Vulnerabilities
The original vulnerability, known as CVE-2026-21510, was addressed in February as it posed a risk of remote code execution when a victim opened a malicious shortcut file. Despite Microsoft’s warnings about its exploitation, details on the attacks were limited. Akamai now reports that Russian group APT28 took advantage of this flaw alongside another vulnerability, CVE-2026-21513, which affected the MSHTML framework and was also patched in February.
The exploitation involved convincing users to open crafted HTML or shortcut files delivered via links or attachments. These files would manipulate Windows Shell handling, executing malicious content without the user’s knowledge.
Emergence of a New Vulnerability
In its analysis, Akamai discovered that the patch for CVE-2026-21510 was incomplete, leading to another vulnerability, CVE-2026-32202. This new threat allows attackers to steal credentials through auto-parsed LNK files without user involvement. The flaw causes victims to authenticate to an attacker’s server automatically, a technique known as zero-click exploitation.
The incomplete patch drew attention to the need for more comprehensive security measures, as the authentication process was vulnerable to exploitation.
Implications and Future Outlook
Microsoft issued a fix for CVE-2026-32202 in its April security updates, though details on specific attacks remain scarce. Akamai suggests that APT28 exploited these vulnerabilities in December 2025, targeting Ukraine and EU countries through weaponized LNK files that bypassed Windows security to achieve remote code execution.
The attackers used Windows shell namespace parsing to execute a DLL from a remote server, circumventing validation processes. This allowed unauthorized access to systems, highlighting the importance of robust network zone validation.
As cybersecurity threats evolve, organizations must remain vigilant and ensure that patches are fully effective. The ongoing risks underscore the need for continuous monitoring and updating of security protocols to protect against sophisticated cyber threats.
