.webp)
Earlier this week, the U.S. Cybersecurity and Infrastructure Security Agency added a new Windows vulnerability to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch it by May 12, 2026. That deadline is this coming Monday.
The flaw, tracked as CVE-2026-32202, is an unusual case - it exists because a previous patch was incomplete. Fixing one problem left a different door open. And the original vulnerability was being actively exploited by APT28, Russia's most well-documented state-sponsored hacking group, in attacks against Ukraine and EU countries.
CISA's patching order applies specifically to federal civilian agencies. But CISA explicitly urges all organizations - businesses included - to treat this as a priority. Windows is the backbone of most small and mid-sized businesses, and this particular flaw has a property that makes it worth understanding: it can steal credentials without requiring the victim to click on anything.
Here is the full story, what it means in practical terms, and what to do about it.
The Story Behind the Incomplete Patch
To understand CVE-2026-32202, you need a bit of background on where it came from.
In December 2025, Ukraine's national cyber defense team (CERT-UA) documented an active attack campaign by APT28, a Russian state-sponsored group also known as Fancy Bear. The attackers were targeting government and infrastructure organizations in Ukraine and several EU countries by distributing malicious Windows shortcut (.lnk) files through phishing emails and downloads.
Akamai security researcher Maor Dahan identified two vulnerabilities being chained in this campaign: CVE-2026-21510, which enabled remote code execution, and CVE-2026-21513, a bypass of Microsoft Defender SmartScreen. According to Akamai's research, Microsoft patched both in February 2026.
While analyzing the February patch, Akamai found that CVE-2026-21510's fix was not complete. Microsoft's update successfully blocked the remote code execution path - but it missed an earlier step in the attack chain. The victim's machine was still automatically authenticating to the attacker's server after patching.
Akamai disclosed this finding to Microsoft. Microsoft released a fix in April 2026 Patch Tuesday as CVE-2026-32202. CISA then added it to the KEV catalog this week with the May 12 deadline.
What CVE-2026-32202 Actually Does
How the zero-click part works
Windows LNK files can contain references to remote network paths using what's called a UNC path - a network address formatted as a server-and-share location. When Windows Explorer renders a folder containing an LNK file, it automatically tries to resolve these paths to display icons and metadata, even before you open or click on anything.
According to SecurityWeek's analysis, the exploit takes advantage of Windows shell namespace parsing. A crafted LNK file can embed a UNC path pointing to an attacker-controlled server inside its binary data structure. When Windows Explorer renders the folder containing this file, it contacts the attacker's server to fetch an icon. That contact triggers an automatic NTLM authentication handshake - meaning Windows sends a hashed version of the user's password to the attacker's server, without the user doing anything at all.
This is the zero-click aspect. You do not open the file. You do not click it. You simply browse to the folder it's sitting in, and your credentials are already on their way out.
What attackers do with the stolen hash
The hash that gets stolen is a Net-NTLMv2 hash. This is not the plaintext password, but for an attacker it is often just as useful. There are two main ways to weaponize it.
The first is pass-the-hash attacks. Depending on your network's configuration, an attacker can use the captured hash to authenticate as that user against other systems - file shares, internal applications, domain resources - without cracking the underlying password at all. This is how attackers achieve lateral movement inside a network after an initial compromise.
The second is offline cracking. The Net-NTLMv2 hash can be taken offline and run against a password dictionary using GPU-accelerated tools. A common 8-character business password with mixed case and a number can fall in hours depending on hardware. Simple passwords go even faster.
Either way, the end result is that an attacker gets working credentials for your Windows environment.
Why This Affects Small Businesses, Not Just Government
You might read "APT28 targeting Ukraine" and reasonably assume this has nothing to do with a 40-person law firm or a car dealership in Southern California. That assumption deserves a closer look.
State-sponsored groups develop and test techniques against high-value geopolitical targets first. Once those exploits become public through CVE disclosures and security research, criminal groups pick them up and adapt them for broader use. Ransomware affiliates, business email compromise actors, and automated credential-harvesting campaigns all run on techniques originally developed by nation-state actors. This is a documented pattern that repeats consistently.
The specific mechanism here - NTLM authentication coercion via Windows shell parsing - is not new as a category. It is a variation of techniques that have circulated in criminal toolkits for years. CVE-2026-32202 is a new, unpatched-until-April variant of a well-worn approach.
Any business with unpatched Windows systems is exposed if an attacker can get a malicious LNK file into a location that someone browses to. That includes shared network drives, USB drops, email attachments that land in a synced folder, or compromised cloud sync directories like OneDrive or Dropbox.
The attack does not require the attacker to already be inside your network. They just need someone to browse to a folder containing the file.
How to Check if Your Systems Are Patched
The fix for CVE-2026-32202 shipped in Microsoft's April 2026 Patch Tuesday. If your Windows systems are current on patches, you are already protected. Here is how to verify.
On Windows 10 and Windows 11 workstations
Open Settings and go to Windows Update. Click Check for updates and let the scan run. Apply any pending updates and restart. To confirm you have the April cumulative update, go to Settings, then System, then About and review the OS build number. Any build updated on or after April 8, 2026 includes the fix.
On Windows Server
Server systems often require manual patch management. In PowerShell, run Get-HotFix to see recently installed updates. Sort by InstalledOn date and confirm the April 2026 cumulative update appears. If it does not, apply it through Windows Update or WSUS and schedule a restart.
If you use an RMM tool
If you work with an MSP or have a Remote Monitoring and Management platform, request a patch compliance report. A good RMM shows patch status across every managed endpoint in minutes - far faster than checking machines individually. This is also how you catch machines that were offline during the scheduled patch window and did not pick up the update automatically.
Hardening Your Environment Beyond the Patch
Patching CVE-2026-32202 is the immediate priority. But since NTLM credential coercion has appeared as an attack vector multiple times in recent years, here are a few configurations worth reviewing to reduce your broader exposure.
Block outbound SMB at the perimeter
The exploit requires your machine to make an outbound SMB connection on TCP port 445 to an attacker-controlled server on the internet. Most businesses have no legitimate reason for workstations to initiate outbound connections on port 445. Blocking this at your firewall stops the credential leak from reaching an external attacker, even if a machine has the malicious LNK file sitting in a browsed folder. This does not affect internal file sharing, which stays on your local network.
Enable SMB signing
SMB signing requires that all SMB traffic be digitally signed, which prevents NTLM relay attacks - where the attacker uses a stolen hash in real-time to authenticate against another system on your network. Windows Server 2022 has SMB signing required by default on domain controllers, but clients and older servers may not have it enforced. This is a Group Policy setting worth reviewing. If you are not sure where your environment stands, a network security audit will surface it quickly.
Review your NTLM usage
NTLM is an authentication protocol from the early 1990s. Modern Windows environments prefer Kerberos for domain authentication and Azure AD with modern auth for cloud-connected systems. If your environment still relies heavily on NTLM, reviewing Windows event logs - Event ID 4776 on domain controllers records NTLM authentications - helps you understand the scope. Reducing NTLM dependency is a longer-term project, but auditing where it is actually used is a good starting point.
Endpoint detection coverage
A capable endpoint detection and response (EDR) solution should flag unusual outbound SMB connections triggered by Windows Explorer. If your EDR can generate an alert when a machine initiates unexpected network connections during folder browsing, you get a second line of sight even on an unpatched system. The patch is the definitive fix - detection gives you a safety net in the meantime.
What This Episode Tells Us About Patch Management
One useful takeaway from this situation is that patch management is not as simple as applying updates and calling yourself protected. The February 2026 patch for CVE-2026-21510 addressed the most dangerous consequence of the APT28 exploit - remote code execution - while leaving a secondary mechanism unaddressed. Partial remediations like this happen more often than vendors publicize.
A structured vulnerability management program watches for exactly this kind of follow-on disclosure. CISA's Known Exploited Vulnerabilities catalog is a free resource that flags vulnerabilities being actively weaponized. Subscribing to KEV alerts at cisa.gov means you hear about situations like this within days of disclosure, not weeks later when attackers have had time to adapt the techniques for broader campaigns.
The broader point: multiple overlapping controls - patching, network controls, endpoint monitoring, and security awareness - create a situation where a single incomplete fix does not leave you fully exposed.
If you want help auditing your patch status, checking your firewall for outbound SMB exposure, or reviewing your NTLM configuration, our team is happy to take a look. You can reach us at (949) 381-1010 or through our contact page.
Frequently Asked Questions
Does this affect businesses using Microsoft 365?
Microsoft 365 is cloud-hosted and this vulnerability does not affect the M365 platform itself. The risk targets your Windows workstations and servers - the devices your employees use every day. If those machines are unpatched, they are vulnerable regardless of whether your email and apps live in the cloud. The exploit targets the endpoint's Windows authentication mechanism, not the cloud service.
We have antivirus. Does that protect us from this?
Traditional antivirus may not reliably detect this attack because the exploit triggers through legitimate Windows shell behavior - Explorer rendering a folder and resolving an icon path is normal activity. Modern EDR tools that monitor for unusual network behavior are better positioned to detect it. The April 2026 patch is the clean fix - detection tools are a supplement, not a substitute.
How do I know if someone already exploited this against my organization?
Check your firewall logs for outbound connection attempts on TCP port 445 from workstations to external IP addresses - that is the telltale sign of a coercion attempt. Also review Windows Security Event logs on your domain controller for Event ID 4776, which records NTLM credential validation events. Unusual NTLM authentications from unexpected sources or at odd hours can indicate credential use from a stolen hash. If you find anything suspicious, preserve your logs before cleaning up - understanding scope matters before you start remediation.
Some of our servers are not patched yet. How urgent is this?
With CISA ordering federal agencies to patch by May 12 and the vulnerability already flagged as actively exploited, treat this as a priority. If you can apply the April 2026 cumulative update and schedule a restart this week, do it. If patching requires a maintenance window or vendor coordination for specialty systems, implement the firewall control first - block outbound port 445 from those servers - as a temporary mitigation while you arrange the proper update.
Can this affect Mac or Linux machines on our network?
CVE-2026-32202 is specific to Windows. Mac, Linux, iOS, and Android devices are not vulnerable to this particular flaw. That said, if a Windows machine on the same network is compromised via this exploit and an attacker gains credentials with access to shared resources, those shared resources could still be affected. The Windows credential theft is the entry point - once attackers have working credentials, what they can reach depends on what those credentials have access to.
