ctipilot.ch

Home · Live brief · Daily brief 2026-05-08

CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12)

notable vulnerability discovered 2026-05-08 05:00 UTC single-source

Part of run 2026-05-08-migrated (intel · unknown)

A crafted Windows Shell artefact (LNK shortcut) placed in a directory causes the victim host to initiate an outbound SMB authentication to an attacker-controlled server when the directory is opened, transmitting NetNTLM hashes. APT28 has weaponised this against EU government ministries. Despite the low NVD CVSS (4.3), KEV listing and state-actor ITW exploitation make this a priority-patch item. Apply April 2026 Windows cumulative updates. CISA KEV deadline: 2026-05-12.

“A crafted Windows Shell artefact (LNK shortcut) placed in a directory causes the victim host to initiate an outbound SMB authentication to an attacker-controlled server when the directory is opened, transmitting NetNTLM hashes.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited nation-state cisa-kev patch-available russia-nexus europe global CVE-2026-32202