Actively Exploited Windows Zero-Day (CVE-2026-32202) Steals NTLM Hashes Without User Clicks

Executive Summary

Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued urgent warnings regarding the active exploitation of a zero-click spoofing vulnerability in Windows Shell, tracked as CVE-2026-32202. This flaw allows an unauthenticated attacker to steal a user's Net-NTLMv2 hash without any user interaction beyond navigating to a directory containing a malicious file. The vulnerability is a bypass of a patch for a previous flaw, CVE-2026-21510, which was exploited by the Russian state-sponsored group APT28. Due to evidence of active exploitation, CISA has added CVE-2026-32202 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch. All organizations are strongly advised to apply the available security updates to prevent credential theft and subsequent lateral movement.

Vulnerability Details

CVE-2026-32202 is a spoofing vulnerability that enables NTLM relay attacks. The flaw exists in how the Windows Shell handles the processing of certain file types, such as .LNK (shortcut) files. An attacker can craft a malicious file and place it on a remote share or in a location accessible to the victim.

When a user opens the folder containing this malicious file in Windows Explorer, the operating system attempts to render the file's icon. This process triggers an automatic connection from the victim's machine to an attacker-controlled Server Message Block (SMB) server. This connection attempt leaks the user's Net-NTLMv2 hash to the attacker. The key aspect of this attack is that it is "zero-click"—the victim does not need to open or interact with the file itself; simply viewing it in an Explorer window is sufficient.

This vulnerability is the result of an incomplete patch for CVE-2026-21510, which was addressed in February 2026. While the earlier patch prevented remote code execution, it failed to block the SMB connection that leads to the credential leak.

Affected Systems

The vulnerability affects a wide range of currently supported Microsoft Windows versions, including:

Windows 10
Windows 11
Windows Server

Exploitation Status

Both Microsoft and CISA have confirmed that CVE-2026-32202 is being actively exploited in the wild. The precursor vulnerability, CVE-2026-21510, was used by APT28 (also known as Fancy Bear) in attacks against organizations in Ukraine and the European Union. While Microsoft has not yet attributed the current exploitation of CVE-2026-32202 to APT28, the potential for state-sponsored actors to leverage this flaw is high.

Impact Assessment

Once an attacker obtains a user's Net-NTLMv2 hash, they can mount several types of attacks:

NTLM Relay Attacks: The attacker can relay the captured hash to another service on the network (e.g., a domain controller, file server, or application server) to authenticate as the victim user. If the user has administrative privileges, this can lead to a full system or domain compromise.
Offline Password Cracking: While Net-NTLMv2 hashes are more resistant to cracking than older versions, a sufficiently powerful adversary can still attempt to crack them offline to recover the user's plaintext password.
Lateral Movement: Successful authentication via NTLM relay allows an attacker to move laterally across the network, access sensitive data, and deploy further malware like ransomware.

The zero-click nature of the exploit makes it particularly dangerous for use in phishing campaigns or for compromising users who access network shares.

Cyber Observables — Hunting Hints

Security teams should hunt for the following patterns to detect potential exploitation:

Type

Network Traffic Pattern

Value

Outbound SMB (TCP/445) to external/untrusted IP addresses

Description

Monitor firewall and proxy logs for any SMB connections originating from workstations and heading to IPs outside the corporate network. This is highly anomalous.

Type

File Name

Value

*.lnk

Description

Monitor for the creation of new .lnk files on network shares or in user directories, especially if they point to external resources.

Type

Event ID

Value

4625 (Windows Security Log)

Description

Look for failed logon events on servers where the source workstation name is the attacker's machine, which can occur during NTLM relay attempts.

Detection & Response

Network Monitoring (D3-NTA): The most effective detection method is to monitor for outbound SMB traffic. Configure firewalls to block outbound TCP port 445 and UDP ports 137-138 from all client subnets to the internet. Log and alert on any attempts to violate this rule.
EDR/XDR Alerts: Modern EDR platforms may have specific behavioral rules to detect NTLM coercion attacks. Look for alerts related to explorer.exe initiating suspicious outbound network connections.
Honeypots: Deploy honeypot accounts with no privileges and monitor for any authentication activity. An alert on a honeypot account attempting to authenticate to a service is a strong indicator of an NTLM relay attack.

Mitigation

Patch Immediately (D3-SU): The primary mitigation is to apply the security update for CVE-2026-32202 released by Microsoft. Given its KEV status, this should be treated as an emergency change.
Block Outbound SMB: Implement strict firewall rules to block all outbound SMB traffic (TCP/445) from your network to the internet. This is a security best practice that mitigates this and many other threats.
Enable SMB Signing: Enforce SMB signing on all clients and servers throughout the domain. This cryptographic protection prevents NTLM relay attacks by ensuring the integrity of SMB communication. This can be configured via Group Policy.
Principle of Least Privilege: Ensure that user and service accounts do not have excessive privileges. Limiting administrative rights makes it harder for an attacker to cause significant damage even if they successfully relay credentials.

Microsoft and CISA Warn of Active Attacks on Windows Shell Zero-Day CVE-2026-32202 for Credential Theft