Microsoft on Monday said a patched Windows Shell spoofing flaw tracked as CVE-2026-32202 was actively exploited in the wild, days after the company corrected its advisory for the issue. The bug has a CVSS score of 4.3 and can expose sensitive information.
KEY FACTS
- Vulnerability CVE-2026-32202 affects Windows Shell and is described as a spoofing issue.
- Impact Successful exploitation could let an attacker view some sensitive information.
- Timeline Microsoft said on April 27, 2026 that its earlier exploitability and CVSS details were incorrect.
- Technical note The flaw stems from a protection mechanism failure and requires the victim to open a malicious file.
The disclosure said the issue was fixed in the company’s April Patch Tuesday update. Microsoft did not provide details on the exploitation activity.
According to a technical analysis from Akamai, the flaw is tied to an incomplete patch for CVE-2026-21510. That earlier Windows Shell weakness, along with CVE-2026-21513, was linked to APT28 in prior reporting.
The analysis said the campaign used malicious Windows Shortcut files to bypass Microsoft Defender SmartScreen and trigger code execution. It also said the patch left a gap that could cause automatic SMB connections and NTLM authentication to an attacker-controlled server.
Akamai said that setup could expose the victim’s Net-NTLMv2 hash, which could be used for relay attacks or offline cracking. The company said the remaining flaw created a zero-click credential theft path through auto-parsed LNK files.
WHY IT MATTERS
The case shows how a patch can reduce one risk while leaving another avenue open for abuse. For Windows users, the main practical concern is that a crafted file can still lead to credential exposure without obvious interaction.