Listen to this Post
CVE-2026-32202 is a protection mechanism failure in Windows Shell that stems from an incomplete patch for CVE-2026-21510 (a higher‑severity Windows Shell vulnerability exploited by APT28).
The original attack vector is a malicious Windows Shortcut (.LNK) file that contains a specially crafted `LinkTargetIDList` structure.
This IDList embeds a UNC path (e.g., \\attacker.com\share\payload.cpl) to a remote attacker‑controlled server.
When Windows Explorer parses the LNK file to render a folder’s contents, it calls CControlPanelFolder::GetUIObjectOf, which triggers `PathFileExistsW` to resolve the UNC path.
This resolution causes an automatic SMB connection to the attacker’s server, and the Windows Shell initiates an NTLM authentication handshake, sending the victim’s Net‑NTLMv2 hash without any user interaction (zero‑click).
Microsoft’s February 2026 patch added a new COM object (ControlPanelLinkSite) that performs SmartScreen/MotW verification via ShellExecuteExW, but this check occurs after the UNC path has already been resolved and the SMB connection has been made.
Thus, the incomplete patch prevented remote code execution but left the zero‑click credential‑theft vector open, which became CVE‑2026‑32202.
The vulnerability was finally fixed in the April 2026 Patch Tuesday release.
Microsoft later updated its advisory on April 27, 2026, to confirm active exploitation.
Affected versions include many builds of Windows 10 (e.g., 10.0.14393.0 before 10.0.14393.9060), Windows 11 (e.g., 10.0.22631.0 before 10.0.22631.6936), and Windows Server editions (e.g., 10.0.20348.0 before 10.0.20348.5020).
dailycve form:
Platform: Windows
Version: 10/11/Server
Vulnerability : Protection Failure
Severity: MEDIUM
date: 2026-04-14
Prediction: April 2026 Tuesday
Analytics under What Undercode Say:
Detect outbound SMB connection attempts (potential NTLM hash exfiltration)
sudo tcpdump -i eth0 'tcp port 445 or tcp port 139'
Monitor Windows Defender SmartScreen logs for LNK file processing
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-SmartScreen/Operational'; ID=1008}
Enumerate NTLM usage in security logs (Event ID 4624 with Logon Type 3)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Properties[bash].Value -eq 3}
Exploit:
Attackers craft a .LNK file with a `LinkTargetIDList` that contains a UNC path pointing to their server. Simply placing the LNK file in a folder or sending it via email triggers automatic icon extraction, which causes Windows Explorer to resolve the UNC path. This initiates an SMB connection and transmits the victim’s NTLMv2 hash back to the attacker without any user interaction.
Protection from this CVE
Apply the April 2026 cumulative update immediately. Block outbound SMB (ports 445/139) at the firewall to prevent NTLM hash exfiltration. Disable NTLM where possible or enforce NTLM signing. Deploy EDR rules that alert on suspicious LNK file parsing or unexpected UNC path resolutions.
Impact
Attackers can silently steal NTLMv2 hashes from any user who browses a folder containing a malicious LNK file (or receives it via email/archive). These hashes can be cracked offline or used in NTLM relay attacks, leading to lateral movement and potential account compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
