Critical Windows Patch Gap Enables Zero-Click Attack Vectors

Key Takeaways

• In February 2026 Microsoft patched two related vulnerabilities, CVE‑2026‑21510 (SmartScreen/Shell bypass) and CVE‑2026‑21513 (MSHTML feature bypass), both exploited as zero‑day by the Russian APT28 group.
• Akamai discovered that the patch for CVE‑2026‑21510 was incomplete, leaving a residual authentication‑coercion flaw tracked as CVE‑2026‑32202.
• CVE‑2026‑32202 enables zero‑click credential theft: merely rendering a folder containing a malicious .lnk file triggers an automatic SMB connection and NTLM hash leakage to an attacker‑controlled server.
• Microsoft released a fix for CVE‑2026‑32202 in the April 2026 Patch Tuesday updates, marking it as exploited in the wild.
• The chained use of CVE‑2026‑21513 and CVE‑2026‑21510 allowed APT28 to bypass Windows security controls, achieve remote code execution, and steal credentials in attacks against Ukrainian and EU targets dating back to December 2025.
• The incident underscores the danger of partial patches and the need for thorough validation of all code paths that handle untrusted file objects, especially those invoking Windows Shell namespace parsing.

Background of the Initial Vulnerabilities
In February 2026 Microsoft issued security updates for two distinct flaws affecting Windows. CVE‑2026‑21510 resided in the Windows SmartScreen and Shell components and allowed an attacker to trick a user into opening a malicious shortcut (.lnk) file, which could lead to remote code execution (RCE). CVE‑2026‑21513 was a security‑feature bypass in the MSHTML framework that similarly could be triggered by a malicious HTML file or shortcut. Microsoft’s advisory noted that both vulnerabilities had been actively exploited as zero‑day threats, though it did not disclose specifics of the observed attacks at that time.

APT28’s Exploitation Campaign
Threat‑intelligence firm Akamai linked the February patches to activity by the Russia‑linked advanced persistent threat group APT28 (also known as Fancy Bear, Forest Blizzard, GruesomeLarch, and Sofacy). According to Akamai, APT28 began exploiting CVE‑2026‑21513 in late February 2026 and later combined it with CVE‑2026‑21510 to chain attacks. The group used weaponized LNK files that leveraged both flaws to bypass Windows’ built‑in defenses, achieve remote code execution, and establish footholds on victim machines, primarily targeting organizations in Ukraine and European Union countries.

Discovery of an Incomplete Patch
While analyzing the February updates, Akamai researchers identified that the fix for CVE‑2026‑21510 did not fully close the attack surface. The patch enforced SmartScreen verification of a file’s digital signature and origin zone at the end of the launch chain, but it missed an earlier stage where Windows Explorer interacts with the Shell namespace to retrieve icons for files in a folder. This oversight left a window where a malicious LNK file could cause the system to reach out to an attacker‑controlled server without any user interaction.

Emergence of CVE‑2026‑32202
The incomplete mitigation gave rise to a new vulnerability, catalogued as CVE‑2026‑32202, an authentication‑coercion flaw. Akamai reported that simply rendering the contents of a folder containing a specially crafted LNK file prompts Windows Explorer to ask the shell32 component to fetch an icon from a UNC path. This action triggers an automatic Server Message Block (SMB) connection to the attacker’s server, which in turn initiates an NTLM authentication handshake. The victim’s Net‑NTLMv2 hash is transmitted to the attacker, where it can be captured for NTLM relay attacks or offline cracking—all without the user clicking anything.

Technical Details of the Zero‑Click Attack
Akamai’s analysis highlighted how the attack chain unfolds:

1. A malicious LNK file is placed in a directory accessible to the victim (e.g., via a downloaded archive or a network share).
2. When Windows Explorer renders the folder’s contents, it calls shell32 to obtain the icon associated with the LNK file.
3. The LNK file contains a UNC path pointing to a server controlled by the attacker (e.g., \\attacker[.]server\share\icon.ico).
4. The shell32 call triggers an SMB session establishment to that UNC path.
5. During the SMB negotiation, the Windows client automatically supplies its Net‑NTLMv2 credential hash as part of the authentication handshake.
6. The attacker collects the hash, enabling further credential‑theft techniques such as relay attacks against other services or brute‑force cracking offline.

Because the hash transmission occurs during a benign‑looking file‑enumeration operation, the victim experiences no visible prompt, making the attack truly zero‑click.

Microsoft’s Response and Patch Release
Following Akamai’s responsible disclosure, Microsoft issued a fix for CVE‑2026‑32202 as part of the April 2026 Patch Tuesday updates. The company’s security advisory flags the defect as “exploited” but, consistent with its earlier communications, refrains from providing detailed telemetry about the observed exploitation. The patch addresses the missing verification step by ensuring that SmartScreen and zone checks are performed before any Shell‑namespace icon retrieval, thereby preventing the automatic SMB connection and NTLM hash leakage.

Attribution and Timing of the Attacks
Akamai assesses that APT28 likely began exploiting the chain of vulnerabilities as early as December 2025, well before the February patches were released. The timing aligns with heightened geopolitical tensions involving Ukraine and EU entities, suggesting the group’s focus on gaining persistent access to strategic targets. The use of LNK files—commonly overlooked as benign shortcuts—allowed the adversary to slip past many endpoint‑detection solutions that focus on executable payloads rather than file‑metadata abuse.

Implications for Organizations
This incident underscores several critical lessons for defenders:

• Patch Completeness Matters – A patch that addresses only part of an exploit chain can leave a residual vulnerability that enables alternative attack vectors, such as credential theft.
• Monitor Shell Namespace Activity – Unusual SMB connections triggered by file‑enumeration operations (especially to external UNC paths) should be flagged and investigated.
• Enforce Network‑Level Protections – Blocking outbound SMB to untrusted destinations and requiring authentication for SMB shares can mitigate NTLM‑hash leakage even if a client is compromised.
• Assume Zero‑Click Exploits Exist – Security controls must not rely solely on user interaction as a safeguard; techniques that exploit automatic OS behaviors need equivalent scrutiny.

By applying these measures, organizations can reduce the risk of similar zero‑click, credential‑theft campaigns leveraging Windows Shell parsing mechanisms.

Conclusion
The story of CVE‑2026‑21510, CVE‑2026‑21513, and the subsequent CVE‑2026‑32202 illustrates how a seemingly isolated patch gap can be chained into a potent zero‑click attack chain used by a sophisticated nation‑state actor. APT28’s exploitation of these flaws to steal NTLM hashes and achieve remote code execution against Ukrainian and EU targets demonstrates the continuing evolution of threat tactics that abuse legitimate OS features. Timely, comprehensive patching, vigilant monitoring of abnormal filesystem‑and‑network interactions, and layered defenses are essential to mitigate such sophisticated threats.