CVE-2026-32202 (CVSS 4.3) is a zero-click authentication coercion flaw in Windows Shell that can expose sensitive information via network spoofing. It is a regression caused by an incomplete patch for CVE-2026-21510, which was previously exploited by APT28. Affected versions include Windows 10 1607 prior to 10.0.14393.9060, 1809 prior to 10.0.17763.8644, and 21H2 prior to 10.0.19044.7184, among others listed in the NVD data.
Patches Microsoft's patch for a 0-day exploited by Russian spies fell short. Another Windows flaw is under attack Second try's a charm? Jessica Lyons Wed 29 Apr 2026 // 19:15 UTC Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are exploiting a zero-click Windows flaw that can expose sensitive information on vulnerable systems. While we don't know who is attacking this one, tracked as CVE-2026-32202, we'd suggest betting it all on Putin's goons. The flaw stems from an incomplete fix for an earlier vulnerability found and abused by Russian spies a month before Redmond released a patch. The new bug, CVE-2026-32202 , is an authentication coercion flaw in Windows Shell that can expose sensitive information on vulnerable systems via network spoofing. "An attacker who successfully exploited the vulnerability could view some sensitive information," Redmond warned when it disclosed the CVE on April 14. On Monday, the Windows giant marked the bug as "exploitation detected." The next day, CISA added CVE-2026-32202 to its Known Exploited Vulnerabilities catalog, and set a May 12 deadline for federal agencies to fix the flaw. The Register reached out to Microsoft about the scope of exploitation, who is responsible for the attacks, and what they are doing with the illicit access. We will update this story if we receive any response. Microsoft credited Akamai senior security researcher Maor Dahan with finding and reporting CVE-2026-32202, and in Dahan's write-up, he says an incomplete patch for CVE-2026-21510 created the newer vuln. Redmond attempted to patch CVE-2026-21510 in February. It was one of six actively exploited zero-days disclosed during that month's Patch Tuesday, and Akamai detected Russia's APT28 (also known as Fancy Bear ) exploiting that security hole in January. According to Akamai, citing Ukraine's Computer Emergency Response Team, APT28 exploited CVE-2026-21510 in attacks against Ukraine and European Union countries. These attacks began with a phishing email, purporting to be from Ukraine's hydro-meteorological center, that contained a weaponized LNK file to exploit another vulnerability, CVE-2026-21513. By chaining CVE-2026-21513 with CVE-2026-21510, the Russian spies bypassed Microsoft security features including Defender SmartScreen and remotely executed malicious code on victims' computers. Microsoft's Valentine's gift to admins: 6 exploited zero-day fixes Crime crew impersonates help desk, abuses Microsoft Teams to steal your data Microsoft's massive Patch Tuesday: It's raining bugs Ongoing supply-chain attack 'explicitly targeting' security, dev tools Microsoft fixed both of these CVEs on February's Patch Tuesday. However, "while Microsoft's fix successfully prevented the initial remote code execution (RCE) and SmartScreen bypass, it left behind a zero-click authentication coercion vulnerability," Dahan wrote, adding that he and his fellow Akamai bug hunters found CVE-2026-32202 while testing the February patches. "While testing the patch, we noticed something interesting: The victim machine was still authenticating to the attacker's server," he said. As Dahan explains, the security hole can be abused to send the victim's Net-NTLMv2 hash (authentication data) to the attacker, thus allowing the digital intruder to authenticate as the user, steal sensitive data, and snoop around on the victim's network. "This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files," he wrote. ® Share More about Akamai Technologies Cybercrime Cybersecurity and Infrastructure Security Agency More like these × More about Akamai Technologies Cybercrime Cybersecurity and Infrastructure Security Agency Microsoft Security Narrower topics 2FA Active Directory Advanced persistent threat Application Delivery Controller Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens Identity Theft Incident response Infosec Infrastructure Security Internet Explorer Kenna Security LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference SharePoint Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics Bill Gates Federal government of the United States More about Share POST A COMMENT More about Akamai Technologies Cybercrime Cybersecurity and Infrastructure Security Agency More like these × More about Akamai Technologies Cybercrime Cybersecurity and Infrastructure Security Agency Microsoft Security Narrower topics 2FA Active Directory Advanced persistent threat Application Delivery Controller Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens Identity Theft Incident response Infosec Infrastructure Security Internet Explorer Kenna Security LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference SharePoint Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics Bill Gates Federal government of the United States TIP US OFF Send us news