CVE-2026-32202 — Windows Shell NTLM coercion / credential capture, APT28 active against EU governments (CISA KEV deadline **2026-05-12**)
From CTI Daily Brief — 2026-05-08 · published 2026-05-10 · view item permalink →
A protection mechanism failure (CWE-693) in Windows Shell allows an unauthenticated, network-adjacent attacker to coerce outbound NTLM authentication from a target system after minimal user interaction with a crafted artefact (LNK file or similar Shell shortcut). When a user opens a directory containing the malicious artefact, the Shell resolves it and initiates an SMB connection to an attacker-controlled server, transmitting a NetNTLM credential hash. The attacker relays the hash for same-network lateral movement or cracks it offline to recover plaintext credentials. NVD CVSS is 4.3 (network vector, no privileges required, user interaction required), reflecting the coercion-only impact; in-the-wild exploitation and state-actor attribution make the operational risk materially higher.
Microsoft patched this in the April 2026 Patch Tuesday cycle. CISA added CVE-2026-32202 to KEV on 2026-04-28 with a deadline of 2026-05-12. Threat intelligence attributes active exploitation to APT28 (GRU Unit 26165, "Fancy Bear") targeting EU government ministries. The technique complements APT28's documented use of NTLM relay and pass-the-hash for lateral movement within government networks.
Immediate actions: Apply April 2026 Windows Patch Tuesday; block outbound TCP 445 to non-business internet destinations at the perimeter firewall; enable "Restrict NTLM" Group Policy (set to "Deny all") or migrate authentication to Kerberos-only where operationally feasible; monitor EDR for outbound 445/TCP to internet IPs from workstations.