A critical zero-click vulnerability in Windows, identified as CVE-2026-32202, has been exploited by the Russian cyber threat group APT28, also known as Fancy Bear. This flaw, resulting from an incomplete patch for a Windows Shell security feature, was highlighted by Microsoft and addressed in their April 2026 Patch Tuesday update.
Exploitation of Windows Shell Vulnerability
APT28 targeted Ukraine and several EU nations in a campaign using weaponized LNK files in December 2025. Akamai researchers discovered this attack in January 2026, linking it to two vulnerabilities: CVE-2026-21513 and CVE-2026-21510. The core of the attack involved exploiting the Windows Shell namespace parsing system.
The method used involved embedding a malicious LinkTargetIDList structure within LNK files. This structure, when parsed by Windows Explorer, allowed the execution of DLLs from attacker-controlled servers without triggering security verifications.
Microsoft’s Response and Remaining Issues
Microsoft’s February 2026 patch introduced a new COM object to verify the trust of Control Panel components, effectively blocking the execution of unsigned or remote CPLs. However, Akamai’s analysis revealed that the victim’s machine still authenticated to the attacker’s server, indicating a residual vulnerability.
This vulnerability allowed Windows to resolve UNC paths and initiate SMB connections to malicious servers, leading to potential NTLM relay attacks or offline password cracking without user intervention.
Recommendations for Organizations
Organizations are urged to apply Microsoft’s April 2026 updates to mitigate CVE-2026-32202. Security teams should monitor outbound SMB traffic and enforce NTLMv2 restrictions or transition to Kerberos-only authentication.
Given the active exploitation of this vulnerability, unpatched systems pose a high risk, especially where LNK files are shared across networks. This incident highlights the importance of thorough patch testing and monitoring to identify secondary vulnerabilities.
The gap between path resolution and trust verification exploited by APT28 serves as a crucial lesson in the cybersecurity domain, emphasizing the need for comprehensive vulnerability management strategies.
