Ethical Hacking News
Microsoft has confirmed that the Windows Shell CVE-2026-32202 vulnerability has been actively exploited in the wild, despite being patched as part of its February 2026 Patch Tuesday update. The zero-click vulnerability stems from an incomplete patch for another high-severity security flaw, which was weaponized by a Russian nation-state group tracked as APT28.
The high-severity security flaw in Windows Shell (CVE-2026-32202) has been actively exploited in the wild, according to Microsoft. The vulnerability is a spoofing vulnerability that allows attackers to access sensitive information. A Russian nation-state group (APT28) was linked to the exploitation of two vulnerabilities (CVE-2026-21510 and CVE-2026-21513) as part of an exploit chain. The attack campaign targets Ukraine and E.U. nations, using a malicious Windows Shortcut file to bypass Microsoft Defender SmartScreen. The attackers can perform spoofing over a network, access sensitive information, but not make changes or limit access.
Microsoft has revised its advisory for the now-patched, high-severity security flaw in Windows Shell, acknowledging that it has been actively exploited in the wild. The vulnerability in question is CVE-2026-32202 (CVSS score: 4.3), a spoofing vulnerability that could allow an attacker to access sensitive information.
The vulnerability stems from an incomplete patch for another high-severity security flaw, CVE-2026-21510, which was weaponized by a Russian nation-state group tracked as APT28 (aka Fancy Bear, Forest Blizzard, GruesomeLarch, and Pawn Storm) along with CVE-2026-21513 as part of an exploit chain. The latter has been linked to APT28 after unearthing a malicious artifact in January 2026.
The campaign, targeting Ukraine and E.U. nations in December 2025, leverages a malicious Windows Shortcut (LNK) file to exploit the two vulnerabilities, effectively bypassing Microsoft Defender SmartScreen and enabling attacker-controlled code to be executed. The attackers use the Windows Shell namespace parsing mechanism to load a dynamic-link library (DLL) from a remote server using a UNC path.
The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation. This allows an unauthorized attacker to perform spoofing over a network, and access sensitive information. However, it's worth noting that the attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability).
Microsoft did not share any details about the exploitation activity, but they acknowledged that protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.
The attack vector is as follows: An attacker would have to send the victim a malicious file that the victim would have to execute. Once executed, the attacker could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Confirms-Active-Exploitation-of-Windows-Shell-CVE-2026-32202-A-Zero-Click-Vulnerability-Leaves-a-Trail-of-Sensitive-Information-ehn.shtml
https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html
https://windowsforum.com/threads/cve-2026-32202-windows-shell-spoofing-microsoft-confidence-signals-for-defenders.412855/
https://nvd.nist.gov/vuln/detail/CVE-2026-32202
https://www.cvedetails.com/cve/CVE-2026-32202/
https://nvd.nist.gov/vuln/detail/CVE-2026-21510
https://www.cvedetails.com/cve/CVE-2026-21510/
https://nvd.nist.gov/vuln/detail/CVE-2026-21513
https://www.cvedetails.com/cve/CVE-2026-21513/
https://www.picussecurity.com/resource/blog/apt28-cyber-threat-profile-and-detailed-ttps
https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations
Published: Tue Apr 28 02:21:32 2026 by llama3.2 3B Q4_K_M
