Full Report
Second try's a charm?
Analysis Summary
# Vulnerability: Windows Shell Authentication Coercion (Patch Bypass)
## CVE Details
- **CVE ID:** CVE-2026-32202
- **CVSS Score:** N/A (Disclosed as "Important" severity by vendor)
- **CWE:** CWE-613 (Insufficient Session Expiration) / CWE-200 (Information Exposure) / Authentication Coercion
## Affected Systems
- **Products:** Microsoft Windows
- **Versions:** Multiple versions of Windows (specifically those receiving support as of April 2026).
- **Configurations:** Systems where LNK files are automatically parsed by the Windows Shell; involves network environments where NTLM authentication is enabled.
## Vulnerability Description
CVE-2026-32202 is an authentication coercion vulnerability in the Windows Shell. It originated from an incomplete fix for **CVE-2026-21510**, which was a flaw previously exploited by APT28 (Forest Blizzard/Fancy Bear).
The vulnerability exists in the logic handling path resolution for LNK files. While the February patch blocked the initial Remote Code Execution (RCE) and SmartScreen bypass, a gap remains between path resolution and trust verification. When the Windows Shell auto-parses a malicious LNK file, it triggers a "zero-click" connection to a remote server. This forces the victim's machine to attempt authentication, sending the user's **Net-NTLMv2 hash** to the attacker’s infrastructure.
## Exploitation
- **Status:** **Exploited in the wild.** (Added to CISA KEV catalog on April 28, 2026).
- **Complexity:** Low
- **Attack Vector:** Network (Zero-click via spoofing or malicious file delivery).
## Impact
- **Confidentiality:** High (Theft of Net-NTLMv2 hashes allows for credential cracking or NTLM relay attacks to access sensitive data).
- **Integrity:** Medium (Potential for unauthorized access as the victim user).
- **Availability:** Low
## Remediation
### Patches
- **Microsoft April 2026 Patch Tuesday:** This update specifically addresses CVE-2026-32202. Users should ensure all cumulative updates for April 2026 are applied.
### Workarounds
- **Restrict NTLM:** Disable NTLM authentication where possible or use "Restrict NTLM" group policy settings to prevent outgoing NTLM traffic to the internet.
- **SMB Signing/Encryption:** Ensure SMB signing is enforced to mitigate relay potential.
- **Firewall Rules:** Block outbound ports 445 (SMB) and 137-139 to external/untrusted IP addresses at the perimeter.
## Detection
- **Indicators of Compromise:** Unusual outbound SMB traffic to unknown external IP addresses, particularly originating from `explorer.exe`.
- **Detection Methods:**
- Monitor for event IDs associated with NTLM authentication (e.g., Event ID 4624/4625 with specific NTLM versions).
- Use Akamai’s research guidance to identify LNK files pointing to remote UNC paths.
- CISA KEV Catalog tracking: Federal agencies must remediate by May 12, 2026.
## References
- **MSRC Advisory:** hxxps://msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-32202
- **CISA KEV Catalog:** hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Researcher Write-up:** hxxps://www[.]akamai[.]com/blog/security-research/inside-the-fix-cve-2026-21513-mshtml-exploit-analysis
- **Ukrainian CERT:** hxxp://cert[.]gov[.]ua/article/6287250