virus logo Threat Signal Report

Microsoft Shell Spoofing Zero-day Vulnerability

What is the Attack?

A newly disclosed vulnerability, CVE-2026-32202, has emerged due to an incomplete patch by Microsoft for a previously exploited remote code execution flaw (CVE-2026-21510). While the original update addressed both RCE and SmartScreen bypass, it failed to eliminate a residual zero-click NTLM authentication coercion issue. This allows attackers to silently force a victim system to authenticate against a malicious server without user interaction.

The threat activity has been linked to APT28 (also known as Fancy Bear / UAC-0001), which began exploiting the original vulnerability chain in December 2025, targeting organizations across Ukraine and the EU. Evidence confirms exploitation in the wild as early as January 2026, prior to Microsoft’s February Patch Tuesday release.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued remediation directives to federal agencies, citing confirmed zero-day exploitation involving CVE-2026-32202.

Vulnerability Chain Overview
The attack chain combines multiple flaws within crafted LNK files:
CVE-2026-21510 – Remote Code Execution (pre-patch)
CVE-2026-21513 – Malicious LNK file handling flaw
CVE-2026-32202 – Residual zero-click NTLM authentication coercion (post-patch)

What is the recommended Mitigation?

Mitigation & Recommendations

  • Apply the latest Microsoft patches addressing CVE-2026-32202 and related vulnerabilities 

  • Disable or restrict NTLM authentication where possible 

  • Implement SMB signing and enforce Extended Protection for Authentication (EPA) 

  • Monitor for anomalous outbound authentication attempts (e.g., SMB/HTTP to untrusted hosts) 

  • Block or inspect suspicious LNK file delivery vectors

Detection Opportunities

  • Outbound NTLM authentication attempts to unknown or external IPs 

  • Suspicious LNK file execution or delivery patterns 

  • Indicators tied to known APT28 infrastructure or tactics

What FortiGuard Coverage is available?

• FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS provides coverage to detect and block exploitation attempts targeting CVE-2026-32202. Intrusion Prevention | FortiGuard Labs

• FortiGuard Antivirus & Behavior Detection: Protects against malicious payloads and post-exploitation activity, including detection of suspicious LNK file execution, abnormal authentication behavior, and attempts to coerce outbound NTLM authentication to attacker-controlled infrastructure.

• FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching, eliminating manual processes while reducing the attack surface for CVE-2026-21510, CVE-2026-21513, and CVE-2026-32202.
Endpoint Vulnerability | FortiGuard Labs
Endpoint Vulnerability | FortiGuard Labs
Endpoint Vulnerability | FortiGuard Labs

• FortiGuard Incident Response: Organizations that suspect exposure to exploitation activity linked to APT28 or these vulnerabilities should engage FortiGuard Incident Response for rapid investigation, credential exposure assessment, containment, and remediation.

• FortiGuard Web Filtering: Blocks access to known malicious domains and attacker-controlled servers used for NTLM hash capture, payload delivery, and command-and-control communication

Additional Resources

Windows Shell Spoofing Vulnerability (update-guide) CVE-2026-32202
Akamai research Blog


Released Date May 01, 2026
Tags Threat Signal Vulnerability
CVE ID


Threat Actor Type Advanced Persistent Threat (APT)

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
About FortiGuard Threat Signal

Learn More »