Microsoft has updated its security advisory to confirm that a critical Windows Shell vulnerability, tracked as CVE-2026-32202, is being actively exploited by attackers in the wild. The flaw, which carries a CVSS score of 4.3, was patched in the company’s April 2026 Patch Tuesday update, but not before cybercriminals began leveraging it to access sensitive user data.
The vulnerability stems from a spoofing weakness in Windows Shell, the core interface of the operating system that handles user interactions. According to Microsoft’s revised alert, an attacker could exploit the flaw by tricking a victim into opening a malicious file, which would then allow unauthorized access to certain sensitive information. While the company clarified that the exploit does not grant full system control—limiting attackers to viewing (but not altering) data—it still poses a significant risk to users and organizations.
Security researchers have traced the origins of CVE-2026-32202 to an incomplete patch for an earlier vulnerability, CVE-2026-21510, which Microsoft addressed in February 2026. That earlier flaw, rated with a far more severe CVSS score of 8.8, was part of an exploit chain weaponized by the Russian state-sponsored hacking group APT28 (also known as Fancy Bear, Forest Blizzard, or Pawn Storm). The group, which has been linked to cyber espionage campaigns targeting Ukraine and European Union nations since December 2025, used the vulnerability to bypass security protections and execute malicious code.
Akamai security researcher Maor Dahan, who discovered and reported CVE-2026-32202, described it as a zero-click vulnerability—meaning it can be exploited without any user interaction. The flaw allows attackers to circumvent the SmartScreen filter, a built-in Windows security feature designed to block malicious downloads and websites. By manipulating how Windows processes remote file paths, attackers can force the system to automatically authenticate with an external server under their control, enabling the theft of NTLMv2 hashes—a type of credential data that can be used in pass-the-hash attacks to impersonate legitimate users.
Microsoft initially published incorrect details about the vulnerability’s Exploitability Index, Exploited flag, and CVSS vector when it released the patch on April 14, 2026. The company corrected these errors on April 27, acknowledging that the flaw was already being actively exploited. While Microsoft has not disclosed specifics about the ongoing attacks, the confirmation underscores the urgency for users to apply the latest security updates.
The discovery highlights the challenges of securing complex operating systems, where even well-intentioned patches can introduce new vulnerabilities. In this case, Microsoft’s attempt to fix CVE-2026-21510 inadvertently left a gap that attackers could exploit to harvest credentials rather than execute code. The incident serves as a reminder of the cat-and-mouse nature of cybersecurity, where defenders must constantly adapt to evolving threats.
For businesses and individual users, the exploit’s ability to operate without user interaction makes it particularly dangerous. Organizations are advised to prioritize installing the April 2026 Patch Tuesday updates and monitor for unusual authentication attempts. Security experts also recommend enabling SMB signing and enhanced protection mechanisms to mitigate the risk of credential theft.
The active exploitation of CVE-2026-32202 arrives at a time when cyber threats targeting Windows systems are escalating. With state-sponsored groups like APT28 continuing to refine their tactics, the need for robust, proactive security measures has never been more critical. As Microsoft and other tech giants operate to stay ahead of these threats, users must remain vigilant—ensuring their systems are updated and protected against even the most subtle vulnerabilities.
For more details, Microsoft’s official advisory on CVE-2026-32202 provides technical guidance for affected users.
