Notebookcheck Logo

Windows zero-day CVE-2026-32202 confirmed as exploited

CVE-2026-32202 allows attackers to steal NTLMv2 hashes from Windows systems without any user interaction beyond browsing a folder.
ⓘ Magnific.com
CVE-2026-32202 allows attackers to steal NTLMv2 hashes from Windows systems without any user interaction beyond browsing a folder.
CISA has ordered federal agencies to patch CVE-2026-32202, a zero-click Windows Shell flaw left open by an incomplete February fix now confirmed as exploited.
Desktop E-Mobility Laptop Microsoft Security Software Windows

A Windows Shell vulnerability patched in this month's Patch Tuesday has been confirmed as actively exploited in the wild. CISA added CVE-2026-32202 to its Known Exploited Vulnerabilities catalog today, ordering US federal agencies to patch by May 12. The flaw exists because Microsoft's February 2026 fix for a related vulnerability left an authentication gap that attackers have since used.

The original flaw, CVE-2026-21510, was a Windows Shell protection mechanism failure exploited in attacks against Ukraine and EU countries in December 2025. Microsoft patched CVE-2026-21510 in February and marked it as actively exploited at the time. What it did not flag was that the patch left a gap.

How the incomplete fix left a door open

Cybersecurity firm Akamai analysed the February patch and found the fix blocked the remote code execution component but left an authentication coercion vector open. When Windows Explorer renders a folder containing a malicious LNK shortcut file, it automatically resolves any UNC path embedded in that file. If that path points to an attacker-controlled server, Windows initiates an SMB connection and sends the victim's NTLMv2 hash to the attacker without the victim needing to open or execute the file.

Simply browsing the folder where the shortcut was downloaded is enough to trigger it.

That residual gap became CVE-2026-32202. Microsoft patched it in April's Patch Tuesday on April 14, but marked it incorrectly at the time, with no exploitation flag. On April 27, Microsoft updated the advisory to correct the exploitability index and confirm active exploitation. CISA added it to the KEV catalog today.

Why the CVSS score is misleading

CVE-2026-32202 carries a CVSS score of 4.3, sitting in the medium severity range. That number understates the real risk. The stolen NTLMv2 hash can be used in relay attacks to authenticate as the compromised user across other systems on the same network, or cracked offline to recover the plaintext password.

In practice, the attack chain gives an adversary a route to lateral movement and privilege escalation, not just a limited information disclosure.

The fix is included in the April 2026 cumulative update KB5083769 for Windows 11 versions 24H2 and 25H2. That is the same update currently causing boot loops on a subset of HP and Dell machines. Users who have not yet applied it remain exposed to a confirmed zero-click credential theft vector. Anyone already caught by the KB5083769 boot loop issue should follow Microsoft's recovery guidance before applying the update.

Microsoft is, strangely, force-upgrading unmanaged Windows 11 24H2 PCs to 25H2 ahead of October 13 end of support, but KB5083769 is still sending some machines into unrecoverable boot loops.

Google LogoAdd as a preferred source on Google
Mail Logo
Read all 1 comments / answer
static version load dynamic
Loading Comments
Comment on this article

Related Articles

> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2026 04 > Windows zero-day CVE-2026-32202 confirmed as exploited
Darryl Linington, 2026-04-29 (Update: 2026-04-30)