The vulnerability of Windows that steals credentials without interaction and is already being exploited in the real world

Microsoft updated its warning this week about a security failure in Windows Shell - CVE-2026-32202 - and confirmed that it is already being exploited in the real world. Although the official CVSS score is moderate, the practical importance of this failure lies in its role within an operating chain and in the ease with which it can convert apparently harmless files into uninteracting credentials theft vectors.

In technical terms, vulnerability is a Failed confidence verification when solving UNC routes, which allows an automatic access to a remote resource (e.g. a .cpl file loaded by the Windows Shell mechanism through an SMB access) to trigger a outgoing SMB connection from the victim machine to a server controlled by the attacker. This connection causes a NTLM exchange that can filter the user's Net-NTLMv2 hash, then exploitable by relays or offline attacks. In practice this dynamic reappeared after a partial patch previously applied to CVE-2026-21510, and according to researchers it links the campaign to the group APT28 (Fancy Bear).

The abuse pattern described by discovers combines LNK files (direct accesses) that activate name resolution in Shell's name space and, in turn, load a DLL / CPL from a remote UNC resource. The big threat was not so much the running of direct remote code, but the theft of credentials that facilitates lateral movement and subsequent attacks.. This explains why actors with specific capabilities and objectives, such as APT28, have incorporated these techniques into targeted campaigns in Ukraine and the European Union.

For organizations and managers, the operational implications are clear: patching is necessary but not sufficient. Microsoft already corrected the failure in the most recent monthly patch, so the first mandatory action is to apply security updates on all affected endpoints and servers. In addition, it is appropriate to validate that the patches were correctly deployed and to review the vulnerability indicators in their patch inventory. You can check the Microsoft security guide for this CVE and related updates on the official Microsoft Security Response Center page: Microsoft Security Response Center.

Beyond the patch, there are defensive measures that reduce both the probability and the impact of this type of abuse. Among the most effective are the restriction of outgoing SMB traffic to the Internet (block TCP / 445 from workstations and servers that do not need to communicate externally), the enabling and requirement of SMB signing where it applies, the configuration of group policies that prevent the automatic resolution of UNC routes from unsafe environments and the deactivation of unnecessary services that can solve remote resources. It is also recommended to increase the use of strong and multifactor authentication to mitigate the value of eventually captured hashes.

In the area of detection, security teams should pay attention to unexpected NTLM authentication events towards external domains, UNC resolution attempts towards off-network hosts and execution linked to CPL charges or LNK direct access. EDR / MDR products should block or alert the dynamic load of DLLs from remote sources and typical NTLM relay activity patterns. In-house suppliers and equipment have started to publish technical analyses; to understand the original research and its technical context, the industry research analysis and blog can be consulted on the Akamai site: Akamai Security Blog.

Finally, this series of failures highlights a recurring lesson: partial mitigation can leave residual vectors that sophisticated actors chain with other vulnerabilities. Modern defense requires complete patches, network segmentation, tightening of authentication protocols and continuous monitoring. Audit your SMB output controls, validate SmartScreen settings and other source protections, and treat NTLM hashes as high-risk credentials: assume that, if exposed, they will require rotation and immediate compensatory measures.