Microsoft fixed CVE-2026-32202 in April 2026 Patch Tuesday this is a zero-click Windows Shell vulnerability caused by an incomplete patch for CVE-2026-21510. APT28 also known as Fancy Bear has been attacking Ukraine and EU countries since December 2025 with malicious LNK files that pass the victims Net-NTLMv2 hash to the attacker without any clicks.
In cybersecurity an incomplete patch can sometimes prove more dangerous than the actual vulnerability because defenders think the issue is solved while the attacker finds a new way in. This is what happened with APT28 and this is what Akamai researchers exposed in April 2026.
Akamai researchers identified that an incomplete patch for CVE-2026-21510 introduced a completely new zero-click vulnerability CVE-2026-32202, in which Microsoft’s February 2026 fix prevented RCE and SmartScreen bypass, but left behind a zero-click authentication coercion flaw that allowed victims to authenticate with the attacker’s server without any user interaction.
This initial vulnerability was exploited by APT28 also known as Fancy Bear in attacks against Ukraine and EU countries. The campaign, which has been ongoing since December 2025, used weaponized LNK files that chained both CVE-2026-21513 and CVE-2026-21510 together to bypass Windows security features and achieve remote code execution.
Akamai security researcher Maor Dahan, who is credited with discovering and reporting the bug, confirmed that CVE-2026-21510 was weaponized by APT28 as part of an exploit chain with CVE-2026-21513. CVE-2026-21510 is a protection mechanism failure in Windows Shell that allows unauthorized attackers to bypass security features on the network while CVE-2026-21513 is a protection mechanism failure in the MSHTML Framework. Both were fixed in February 2026.
CVE-2026-21510 was also added to CISAs Known Exploited Vulnerabilities catalog and federal agencies had a March 3, 2026 patch deadline. This means real-world exploitation was confirmed enough that the government took immediate action.
Windows Shell Namespace Attack Starting Point
APT28 exploited the Windows shell namespace parsing mechanism to load a dynamic link library DLL from a remote server using a UNC path. This DLL was loaded as part of Control Panel CPL objects without proper network zone validation and was a way to completely bypass SmartScreen and Mark of the Web MOTW checks.

The core of the attack was a malicious LNK file containing a crafted LinkTargetIDList structure with three key components: first the CLSID of the Control Panel COM object second an entry for all control panel items and third an _IDCONTROLW structure with an embedded UNC path pointing to the attackers remote server. When the victims explorer.exe parses this LNK file Windows loads the malicious path as a Control Panel component without SmartScreen or MotW verification.

Microsoft introduced a new COM object ControlPanelLinkSite in February 2026 when it patched CVE-2026-21510 which acts as a bridge between the CPL launch path and ShellExecutes trust verification mechanism. The patch introduced a new fMask bit, 0x08000000 which signals the ShellExecute pipeline to search for a trust verification object.

This object implements VerifyingTrust and triggers SmartScreen verification of the CPL files digital signature and origin zone before execution. Akamai confirmed with its PatchDiff-AI tool that the fix successfully blocked the RCE vector unsigned or remote CPLs were no longer executed silently.
But here’s what makes this whole story truly alarming. Akamai researchers noticed that even after the patch was applied and the victim machine was still authenticating with the attackers server. Trust verification fires at the very end of the CPL launch chain, during the ShellExecute call.
But a much earlier trigger existed in CControlPanelFolder::GetUIObjectOf the function that Windows Explorer calls to render the icon of a CPL IDList item when a folder is opened. Within this chain, a PathFileExistsW call to GetModuleMapped resolves the UNC path and initiates an SMB connection to the attackers server when the folder containing the malicious LNK file is opened without any user click.
When a UNC path is resolved, such as \attacker.com\share\payload.cpl Windows automatically triggers an NTLM authentication handshake and the victims Net-NTLMv2 hash is transmitted to the attackers server. These credentials can later be used for NTLM relay attacks or offline password cracking and all without any user interaction simply by navigating the folder.
This residual flaw classified as CVE-2026-32202 with a CVSS score of 4.3, officially describes a protection mechanism failure in Windows Shell that allows unauthorized attackers to perform spoofing on a network. Microsoft released a fix for this flaw in the April 2026 Patch Tuesday issue and flagged it as actively exploited in the wild in its advisory but did not share details of the observed attacks.
Exploitation of CVE-2026-21510 did not require any complex memory corruption or sandbox escape and it relied solely on flawed prompt suppression in shell processing which making it exceptionally useful for ransomware deployment, data exfiltration, persistence and lateral movement.
Organizations should immediately apply Microsofts April 2026 Patch Tuesday update. Security teams should monitor suspicious executions triggered by LNK, URL and SCF shortcut files especially when these files come from external sources or lead to unauthorized network activity and should closely track outbound SMB traffic to external hosts.
This vulnerability triage clearly shows how dangerous incomplete patches can be. Microsoft released the initial RCE fix but the authentication coercion flaw remained a gap between path resolution and trust verification that allowed a zero-click credential theft vector to remain alive via auto-parsed LNK files.