CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12)

A crafted Windows Shell artefact (LNK shortcut) placed in a directory causes the victim host to initiate an outbound SMB authentication to an attacker-controlled server when the directory is opened, transmitting NetNTLM hashes. APT28 has weaponised this against EU government ministries. Despite the low NVD CVSS (4.3), KEV listing and state-actor ITW exploitation make this a priority-patch item. Apply April 2026 Windows cumulative updates. CISA KEV deadline: 2026-05-12.