{"id":731,"date":"2026-04-28T08:50:24","date_gmt":"2026-04-28T08:50:24","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=731"},"modified":"2026-04-28T08:50:24","modified_gmt":"2026-04-28T08:50:24","slug":"microsoft-confirms-active-exploitation-of-windows-shell-cve-2026-32202","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=731","title":{"rendered":"Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 28, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Threat Intelligence<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiMPU-2lLUg__kJUnPm1HSRP0cTelgKBaXgKDq4ODhX0XTKI83sddz2F_EHiOmoxnTYIkIFYIbFh8JLAMp6lqfK39czq_e1G5Ixe-Y53_-kXBSk0fqVZV6jFpECe1JjAy3ZD3MmnJ71jpZHuPpbNRjB4x7SsmfHNUCMVyzQiST7CTc9m3qteMc4zJ2U_GXo\/s1700-e365\/windows-exploit.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been actively exploited in the wild.<\/p>\n<p>The vulnerability in question is <strong>CVE-2026-32202<\/strong> (CVSS score: 4.3), a spoofing vulnerability that could allow an attacker to access sensitive information. It was addressed as part of its Patch Tuesday update for this month.<\/p>\n<p>\u00abProtection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network,\u00bb Microsoft <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-32202\">noted<\/a> in an alert. \u00abAn attacker would have to send the victim a malicious file that the victim would have to execute.\u00bb<\/p>\n<p>\u00abAn attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker. The attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability).\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-security-guide-d-1\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjRxP56rpa2W0O_0yc0xgs5l2r4FRV4Wiuq3IqWuFdsd_4g1c3oRVXoHtW9gxo8ObuxmyjqkAf3cD6N1JbVDos7QX99ZHtmeVrg-FUzSnMZLTl1ZFyiSkpqQiw6BcHXz52jr3s42xWEDFOpwWK6HgXOqscGMNkhA5pZK7h6zVV4dpDaLfgy17TidZXVrtUB\/s728-e100\/nudge-d-1.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>On April 27, 2026, Microsoft said it rectified the \u00abExploitability Index, Exploited flag, and CVSS vector\u00bb as they were incorrect when they were published on April 14.<\/p>\n<p>While the tech giant did not share any details about the exploitation activity, Akamai security researcher Maor Dahan, who is credited with discovering and reporting the bug, said the zero-click vulnerability stems from an incomplete patch for CVE-2026-21510.<\/p>\n<p>The latter has been weaponized by a Russian nation-state group tracked as APT28 (aka Fancy Bear, Forest Blizzard, GruesomeLarch, and Pawn Storm) along with CVE-2026-21513 as part of an exploit chain &#8211;<\/p>\n<p><a name=\"more\"\/><\/p>\n<ul>\n<li><strong><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-21510\">CVE-2026-21510<\/a><\/strong> (CVSS score: 8.8) &#8211; A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network. (Fixed by Microsoft in February 2026)<\/li>\n<li><strong><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-21513\">CVE-2026-21513<\/a><\/strong> (CVSS score: 8.8) &#8211; A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network. (Fixed by Microsoft in February 2026)<\/li>\n<\/ul>\n<p>It&#8217;s worth noting that the abuse of CVE-2026-21513 was also flagged by the web infrastructure and security company early last month, linking it to APT28 after unearthing a malicious artifact in January 2026.<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhhiJ6i2yR87rj_rxxQHlwM7BT7FHpbHFc6mz18UV4QhEUe_Jfuv87c08iZ6GX_5LFRCMSdasomM58RWnV5SMKEAIgK19b3j8D6SZbIaQejSbFQIiMQ8AikrbFHlUBeXIZydd9BPAlIfWN_cxx6VqHnp_sqUfzToMdWiCtwaBnQHHYw2uRcHO8TgoFPZDHu\/s1700-e365\/CVE-2026-21510.jpg\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhhiJ6i2yR87rj_rxxQHlwM7BT7FHpbHFc6mz18UV4QhEUe_Jfuv87c08iZ6GX_5LFRCMSdasomM58RWnV5SMKEAIgK19b3j8D6SZbIaQejSbFQIiMQ8AikrbFHlUBeXIZydd9BPAlIfWN_cxx6VqHnp_sqUfzToMdWiCtwaBnQHHYw2uRcHO8TgoFPZDHu\/s1700-e365\/CVE-2026-21510.jpg\" alt=\"\" border=\"0\" data-original-height=\"1092\" data-original-width=\"1920\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">CVE-2026-21510 Exploitation<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The campaign, targeting Ukraine and E.U. nations in December 2025, leverages a malicious Windows Shortcut (LNK) file to exploit the two vulnerabilities, effectively bypassing Microsoft Defender SmartScreen and enabling attacker-controlled code to be executed.<\/p>\n<p>\u00abAPT28 leverages the Windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a remote server using a UNC path,\u00bb Dahan <a href=\"https:\/\/www.akamai.com\/blog\/security-research\/2026\/apr\/incomplete-patch-apt28s-zero-day-cve-2026-32202\">explained<\/a>. \u00abThe DLL is loaded as part of the Control Panel (<a href=\"https:\/\/www.ired.team\/offensive-security\/code-execution\/executing-code-in-control-panel-item-through-an-exported-cplapplet-function\">CPL<\/a>) objects without proper network zone validation.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Akamai said the February 2026 patch, while mitigating the remote code execution risk by triggering a SmartScreen check of the CPL file&#8217;s digital signature and origin zone, still allowed the victim machine to authenticate to the attacker&#8217;s server and automatically fetch the CPL file by resolving the Universal Naming Convention (<a href=\"https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-dtyp\/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc\">UNC<\/a>) path and initiating an SMB connection without requiring user interaction.<\/p>\n<p>\u00abWhen that path is a UNC path (like &#8216;\\\\attacker.com\\share\\payload.cpl&#8217;), Windows initiates an SMB connection to the attacker&#8217;s server,\u00bb Dahan said. \u00abThis server message block (SMB) connection triggers an automatic NTLM authentication handshake, sending the victim&#8217;s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking.\u00bb<\/p>\n<p>\u00abWhile Microsoft fixed the initial RCE (CVE-2026-21510), an authentication coercion flaw (CVE-2026-32202) remained. This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 28, 2026Vulnerability \/ Threat Intelligence Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been actively exploited&hellip;<\/p>\n","protected":false},"author":1,"featured_media":732,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[64,63,1431,65,147,303,307],"class_list":["post-731","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-active","tag-confirms","tag-cve202632202","tag-exploitation","tag-microsoft","tag-shell","tag-windows"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=731"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/731\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/732"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}