Windows Shell protection mechanism failure — NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12)

cve · CVE-2026-32202

Coverage timeline

first 2026-05-08 → last 2026-05-10

Briefs

2 distinct

Sources cited

228

82 hosts

Sections touched

immediate-actions, weekly_summary

Co-occurring entities

see Related entities below

Story timeline

2026-05-10CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026)
weekly_summaryConsolidated in weekly summary for week 2026-W19
2026-05-08CTI Daily Brief — 2026-05-08
immediate-actionsFirst coverage. CWE-693; crafted LNK/Shell artefact coerces NTLM authentication to attacker-controlled server; APT28 actively exploiting against EU government ministries. CISA KEV deadline 2026-05-12. Fixed in April 2026 Patch Tuesday.

Where this entity is cited

immediate-actions1
weekly_summary1

Source distribution

attack.mitre.org43 (19%)
thehackernews.com19 (8%)
bleepingcomputer.com13 (6%)
msrc.microsoft.com12 (5%)
helpnetsecurity.com9 (4%)
isc.sans.edu7 (3%)
microsoft.com5 (2%)
theregister.com5 (2%)
other115 (50%)

Related entities

AMD-SB-7052 — Zen 2 µop-cache corruption / SoC isolation LPE (May 2026 Windows CU / Xen XSA-490)
vulnerability-trendadvisory:amd-sb-7052×3
Atos TRC: hardware-gated Windows drivers made BYOVD-exploitable in software (PnP AddDevice / filter restacking / registry)
vulnerability-trenditem:atos-byovd-hardware-gate-bypass-2026×3
APT28 (GRU Unit 26165) tradecraft evolution — LameHug LLM-driven stealer, BeardShell cloud C2, FrostArmada router DNS hijack (Sekoia)
campaigncampaign:apt28-tradecraft-evolution-2026×2
BKA + ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant (2026-05-08)
incidentincident:bka-crimenetwork-takedown-2026×1
Eurail breach (December 2025) — 308 777 travellers notified April 2026; Dutch DPA and EDPS reviewing delayed notification
incidentincident:eurail-breach-2026×1
Windows Shell LNK exploit predecessor — APT28 weaponised against Ukraine and EU; February 2026 patch left CVE-2026-32202 residual
cveCVE-2026-21510×1

External references

NVD · cve.org · CISA KEV

All cited sources (228)

Items in briefs about Windows Shell protection mechanism failure — NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12) (3)

CVE-2026-32202 — Windows Shell NTLM coercion; Akamai's PatchDiff-AI shows the residual zero-click path left by the CVE-2026-21510 patch

From CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026) · published 2026-05-11 · view item permalink →

Despite the low base CVSS of 4.3 (network vector, no privileges, user interaction required), this is a priority-patch item for any organisation in scope of APT28's targeting of the predecessor vulnerability: APT28 (Fancy Bear) was attributed by CERT-UA to the predecessor CVE-2026-21510 LNK exploitation against Ukraine and EU countries in December 2025 (Akamai Security Research). Microsoft flipped the "exploited" flag on CVE-2026-32202 on 2026-04-27 (Help Net Security, 2026-04-29); neither Akamai nor Help Net Security explicitly attributes current CVE-2026-32202 in-the-wild exploitation to APT28, so the actor for CVE-2026-32202 exploitation specifically remains publicly unattributed at week-end (Microsoft MSRC — CVE-2026-32202 · daily 2026-05-08). Akamai's PatchDiff-AI analysis published 2026-04-23 reveals that Microsoft's February 2026 patch for CVE-2026-21510 successfully blocked RCE and SmartScreen bypass but left a residual zero-click NTLM coercion path intact — now tracked as CVE-2026-32202 (Akamai Security Research, 2026-04-23 · Help Net Security, 2026-04-29).

The mechanism: Windows Explorer automatically resolves UNC paths embedded in the LinkTargetIDList structure of malicious LNK files via PathFileExistsW, triggering an outbound SMB authentication handshake that leaks the user's Net-NTLMv2 hash to an attacker-controlled server — folder-open is sufficient, no user click required. Trust verification was applied only during ShellExecuteExW calls in the February 2026 patch, not in the earlier code paths where the credential theft occurs. Microsoft confirmed active exploitation on 2026-04-27 and CISA added CVE-2026-32202 to KEV the following day with a deadline of 2026-05-12. The April 14 patch shipped without the "exploited" flag, creating a 13-day window where security teams had no formal signal to treat it as urgent. Net-NTLMv2 hashes can be relayed (NTLM relay attacks) or cracked offline — both paths to lateral movement.

Patch path: April 2026 Windows cumulative updates. Supplementary controls are blocking outbound TCP 445 to non-business internet destinations at the perimeter firewall, enabling the "Restrict NTLM" Group Policy (set to "Deny all" for outbound), and migrating authentication to Kerberos-only where operationally feasible. Detection priorities for SOC hunting: SMBv2 outbound connections from explorer.exe to non-corporate IPs; NTLM authentication event 4625 / 4776 with Net-NTLMv2 from workstations; LNK file inspection at mail gateway and EDR for LinkTargetIDList entries pointing to UNC paths. ATT&CK: T1187 Forced Authentication, T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay.

CVE-2026-32202 — Windows Shell NTLM coercion / credential capture, APT28 active against EU governments (CISA KEV deadline 2026-05-12)

From CTI Daily Brief — 2026-05-08 · published 2026-05-08 · view item permalink →

A protection mechanism failure (CWE-693) in Windows Shell allows an unauthenticated, network-adjacent attacker to coerce outbound NTLM authentication from a target system after minimal user interaction with a crafted artefact (LNK file or similar Shell shortcut). When a user opens a directory containing the malicious artefact, the Shell resolves it and initiates an SMB connection to an attacker-controlled server, transmitting a NetNTLM credential hash. The attacker relays the hash for same-network lateral movement or cracks it offline to recover plaintext credentials. NVD CVSS is 4.3 (network vector, no privileges required, user interaction required), reflecting the coercion-only impact; in-the-wild exploitation and state-actor attribution make the operational risk materially higher.

Microsoft patched this in the April 2026 Patch Tuesday cycle. CISA added CVE-2026-32202 to KEV on 2026-04-28 with a deadline of 2026-05-12. Threat intelligence attributes active exploitation to APT28 (GRU Unit 26165, "Fancy Bear") targeting EU government ministries. The technique complements APT28's documented use of NTLM relay and pass-the-hash for lateral movement within government networks.

Immediate actions: Apply April 2026 Windows Patch Tuesday; block outbound TCP 445 to non-business internet destinations at the perimeter firewall; enable "Restrict NTLM" Group Policy (set to "Deny all") or migrate authentication to Kerberos-only where operationally feasible; monitor EDR for outbound 445/TCP to internet IPs from workstations.

CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12)

From CTI Daily Brief — 2026-05-08 · published 2026-05-08 · view item permalink →

A crafted Windows Shell artefact (LNK shortcut) placed in a directory causes the victim host to initiate an outbound SMB authentication to an attacker-controlled server when the directory is opened, transmitting NetNTLM hashes. APT28 has weaponised this against EU government ministries. Despite the low NVD CVSS (4.3), KEV listing and state-actor ITW exploitation make this a priority-patch item. Apply April 2026 Windows cumulative updates. CISA KEV deadline: 2026-05-12.