CVE-2026-32202 — Windows Shell NTLM coercion; Akamai's PatchDiff-AI shows the residual zero-click path left by the CVE-2026-21510 patch

Despite the low base CVSS of 4.3 (network vector, no privileges, user interaction required), this is a priority-patch item for any organisation in scope of APT28's targeting of the predecessor vulnerability: APT28 (Fancy Bear) was attributed by CERT-UA to the predecessor CVE-2026-21510 LNK exploitation against Ukraine and EU countries in December 2025 (Akamai Security Research). Microsoft flipped the "exploited" flag on CVE-2026-32202 on 2026-04-27 (Help Net Security, 2026-04-29); neither Akamai nor Help Net Security explicitly attributes current CVE-2026-32202 in-the-wild exploitation to APT28, so the actor for CVE-2026-32202 exploitation specifically remains publicly unattributed at week-end (Microsoft MSRC — CVE-2026-32202 · daily 2026-05-08). Akamai's PatchDiff-AI analysis published 2026-04-23 reveals that Microsoft's February 2026 patch for CVE-2026-21510 successfully blocked RCE and SmartScreen bypass but left a residual zero-click NTLM coercion path intact — now tracked as CVE-2026-32202 (Akamai Security Research, 2026-04-23 · Help Net Security, 2026-04-29).

The mechanism: Windows Explorer automatically resolves UNC paths embedded in the LinkTargetIDList structure of malicious LNK files via PathFileExistsW, triggering an outbound SMB authentication handshake that leaks the user's Net-NTLMv2 hash to an attacker-controlled server — folder-open is sufficient, no user click required. Trust verification was applied only during ShellExecuteExW calls in the February 2026 patch, not in the earlier code paths where the credential theft occurs. Microsoft confirmed active exploitation on 2026-04-27 and CISA added CVE-2026-32202 to KEV the following day with a deadline of 2026-05-12. The April 14 patch shipped without the "exploited" flag, creating a 13-day window where security teams had no formal signal to treat it as urgent. Net-NTLMv2 hashes can be relayed (NTLM relay attacks) or cracked offline — both paths to lateral movement.

Patch path: April 2026 Windows cumulative updates. Supplementary controls are blocking outbound TCP 445 to non-business internet destinations at the perimeter firewall, enabling the "Restrict NTLM" Group Policy (set to "Deny all" for outbound), and migrating authentication to Kerberos-only where operationally feasible. Detection priorities for SOC hunting: SMBv2 outbound connections from explorer.exe to non-corporate IPs; NTLM authentication event 4625 / 4776 with Net-NTLMv2 from workstations; LNK file inspection at mail gateway and EDR for LinkTargetIDList entries pointing to UNC paths. ATT&CK: T1187 Forced Authentication, T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay.