Full Report
Second try's a charm? Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are exploiting a zero-click Windows flaw that can expose sensitive information on vulnerable systems.…
Analysis Summary
# Vulnerability: Windows Shell Authentication Coercion (Zero-Click)
## CVE Details
- **CVE ID:** CVE-2026-32202
- **CVSS Score:** Not explicitly listed in text (Historically, authentication coercion/information disclosure flaws of this type range from 6.5 to 7.5)
- **CWE:** CWE-211 (Information Exposure), CWE-319 (Cleartext Transmission of Sensitive Information)
## Affected Systems
- **Products:** Microsoft Windows
- **Versions:** All versions currently supported by Microsoft (implied by the broad "Windows flaw" description and CISA urgency).
- **Configurations:** Systems utilizing Windows Shell for processing `.LNK` (shortcut) files.
## Vulnerability Description
CVE-2026-32202 is an authentication coercion vulnerability in Windows Shell. It originated from an incomplete fix for **CVE-2026-21510**.
The flaw exists in the gap between path resolution and trust verification when Windows Shell parses shortcut (.LNK) files. When a victim views a folder containing a weaponized LNK file, the "zero-click" nature of the flaw causes the Windows system to automatically attempt to resolve the path. This forces the victim's machine to authenticate to a remote, attacker-controlled server, transmitting the user’s **Net-NTLMv2 hash**.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by Microsoft and CISA).
- **Complexity:** Low (Zero-click; triggered by simple file parsing/previewing).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Exposure of Net-NTLMv2 hashes allows for credential theft and potential "Pass-the-Hash" or relay attacks).
- **Integrity:** Medium (Successful authentication as the user allows for unauthorized actions).
- **Availability:** Low.
## Remediation
### Patches
- **Microsoft April 14 Update:** Users must apply the security updates released by Microsoft on or after April 14, 2026.
- **CISA Directive:** Federal agencies are mandated to apply these patches by **May 12, 2026**.
### Workarounds
- **Restrict Outbound SMB:** Block outbound SMB traffic (TCP Port 445) from the network perimeter to the internet to prevent NTLM hashes from leaving the environment.
- **Disable NTLM:** Where possible, transition to Kerberos authentication and disable NTLM entirely.
- **SMB Signing:** Ensure SMB signing is enforced to prevent NTLM relay attacks.
## Detection
- **Indicators of Compromise:** Unusual outbound connections on Port 445 to unknown or external IP addresses.
- **Detection methods and tools:**
- Monitor Windows Defender SmartScreen logs for bypass attempts.
- Audit NTLM authentication logs for unexpected authentication requests to remote servers.
- Check for weaponized `.LNK` files in email attachments or network shares.
## References
- **Microsoft Security Response Center (MSRC):** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-32202
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Akamai Security Research:** hxxps[://]www[.]akamai[.]com/blog/security-research/inside-the-fix-cve-2026-21513-mshtml-exploit-analysis
- **CERT Ukraine (Context on APT28 activity):** hxxp[://]cert[.]gov[.]ua/article/6287250