High

A critical zero-click Windows Shell vulnerability, tracked as CVE-2026-32202, has been actively exploited by the Russian state-linked threat group APT28 (also known as Fancy Bear, Forest Blizzard, and Pawn Storm). The flaw emerged due to an incomplete patch for CVE-2026-21510, a Windows Shell SmartScreen bypass vulnerability previously addressed by Microsoft in February 2026. Microsoft has now confirmed active exploitation of the issue and released a complete fix as part of its April 2026 Patch Tuesday updates. The attack campaign was first observed by CERT-UA in December 2025 targeting organizations across Ukraine and several EU countries, with Akamai researchers later confirming and analyzing the exploit chain in January 2026.

The attack relies on a specially crafted malicious LNK (Windows Shortcut) file that abuses the Windows Shell namespace parsing mechanism. The shortcut contains a manipulated LinkTargetIDList structure designed to mimic legitimate Control Panel objects. This structure includes a Control Panel CLSID, an “all control panel items” reference, and a malicious _IDCONTROLW entry pointing to an attacker-controlled UNC path hosting a rogue CPL (Control Panel applet) file. When Windows Explorer parses the file, it resolves the path and attempts to load the remote DLL as a Control Panel component, bypassing traditional SmartScreen and Mark of the Web (MotW) protections. This attack was chained with CVE-2026-21513, an MSHTML exploit, enabling APT28 to establish a stealthy infection path with minimal user interaction.

Microsoft’s original February patch introduced a new COM object called ControlPanelLinkSite and added a 0x08000000 fMask flag, forcing the execution chain through ShellExecute trust verification and SmartScreen validation. While this successfully blocked remote code execution by preventing unsigned or untrusted CPL files from executing, Akamai’s PatchDiff-AI analysis revealed a residual issue. Before ShellExecute verification occurs, Windows Explorer invokes CControlPanelFolder::GetUIObjectOf to render folder contents. During this process, the PathFileExistsW function attempts to resolve the malicious UNC path, automatically triggering an outbound SMB authentication request as soon as the folder is opened even if the file is never clicked.

This behavior allows attackers to capture the victim’s Net-NTLMv2 hash through an automatic authentication handshake, enabling NTLM relay attacks or offline credential cracking without user interaction, making the flaw a serious credential theft vector despite its CVSS score of medium. Organizations should immediately deploy Microsoft’s April 2026 security updates, monitor for suspicious outbound SMB traffic, restrict or disable NTLM authentication where possible, and transition toward Kerberos-only authentication to reduce exposure. The incident highlights the dangers of incomplete security patches and demonstrates how subtle gaps between path resolution and trust verification can create exploitable attack surfaces, reinforcing the importance of rigorous patch validation and regression testing.