CVE-2026-32202: APT28 Exploits Zero-Click Windows Flaw to Steal NTLM Credentials — CISA Deadline Hits Today

A malicious shortcut file sitting in a folder — unopened, unclicked — is all it takes. CVE-2026-32202 is a zero-click NTLM credential theft vulnerability in Windows Shell that Russian state-sponsored group APT28 has been actively exploiting since at least March 2026. The flaw was born from Microsoft's incomplete fix for an earlier RCE bug, and CISA's federal remediation deadline expires today, May 12.

From Incomplete Patch to Zero-Click Weapon

CVE-2026-32202 traces its origin to CVE-2026-21510, a remote code execution vulnerability in Windows Shell that Microsoft patched in February 2026. Akamai researchers discovered that the February fix was incomplete: while it blocked the original RCE vector, it left a secondary NTLM authentication coercion path wide open. When Windows Explorer renders a folder containing a specially crafted LNK shortcut file, the operating system automatically resolves any embedded UNC path. If that path points to an attacker-controlled SMB server, Windows initiates an authentication handshake and transmits the victim's NTLMv2 hash — no double-click, no file execution, no user interaction whatsoever.

How APT28 Weaponized the Flaw

Google's Threat Intelligence Group and Microsoft's MSTIC team confirmed that APT28 (also known as Fancy Bear or Forest Blizzard) has been deploying malicious LNK files through spear-phishing emails targeting government contractors, defense organizations, and financial institutions. The attack chain is deceptively simple: a ZIP archive lands in the victim's inbox containing what appears to be a document folder. The moment the user extracts the archive and Windows Explorer renders the folder contents, the embedded LNK triggers an outbound SMB connection to an attacker-controlled relay server. The stolen NTLMv2 hash is then used in relay attacks to authenticate laterally across internal systems, or cracked offline to recover plaintext credentials. In observed campaigns, APT28 moved from initial hash capture to domain controller compromise within four hours.

Why CVSS 4.3 Understates the Real Risk

Microsoft assigned CVE-2026-32202 a CVSS score of 4.3, placing it in the medium severity category. Security researchers universally agree this score is misleading. The zero-click trigger mechanism eliminates the need for user interaction — a factor that typically inflates CVSS scores. The hash relay technique converts a seemingly minor information disclosure into full lateral movement capability. Organizations still running NTLMv2 authentication (which includes the majority of Active Directory environments) face the greatest risk, as a single compromised hash can cascade into domain-wide compromise. CISA clearly disagreed with the medium rating, adding CVE-2026-32202 to the Known Exploited Vulnerabilities catalog on April 28 and setting a federal remediation deadline of May 12 — today.

Impact on Saudi Financial Institutions

Saudi banks, insurance companies, and fintech firms operating under SAMA's Cyber Security Framework (CSCC) should treat this vulnerability as critical regardless of the official CVSS score. SAMA CSCC Domain 3 (Cyber Security Operations and Technology) mandates continuous vulnerability management and timely patching of actively exploited flaws. NCA's Essential Cybersecurity Controls (ECC) Subdomain 2-2 explicitly requires organizations to apply security patches within defined SLAs, with actively exploited vulnerabilities demanding immediate action. The zero-click nature of CVE-2026-32202 makes it particularly dangerous for financial sector environments where employees routinely handle external documents, email attachments, and shared folders. A single compromised endpoint in a trading desk, compliance department, or payment processing unit could provide an attacker with the NTLM credentials needed to pivot into core banking systems.

Recommended Actions for Immediate Remediation

1. Apply the April 2026 Patch Tuesday update immediately. Microsoft released a complete fix for CVE-2026-32202 on April 14. Prioritize all Windows Server and workstation systems, especially those in Active Directory domains handling financial operations.
2. Enforce SMB signing and disable outbound SMB to the internet. Block TCP port 445 at the perimeter firewall for outbound traffic. Enable SMB signing on all domain controllers and member servers to prevent relay attacks even if hashes are captured.
3. Migrate away from NTLMv2 where possible. Accelerate the transition to Kerberos-only authentication. Microsoft's own guidance now recommends disabling NTLM across the domain, and the April 2026 release includes enhanced group policy controls to enforce this.
4. Deploy endpoint detection rules for malicious LNK files. Configure EDR solutions to alert on LNK files containing UNC paths pointing to external IP addresses or non-corporate domains. YARA rules published by Akamai and Microsoft specifically target the CVE-2026-32202 exploit pattern.
5. Audit recent SMB authentication logs. Review Windows Security Event ID 4624 (logon type 3) and Event ID 4648 for anomalous NTLM authentication attempts originating from unexpected endpoints or targeting external IP addresses. Any outbound NTLMv2 authentication to non-corporate SMB servers should trigger an incident response workflow.
6. Restrict LNK file delivery via email. Update email gateway policies to strip or quarantine ZIP archives containing LNK files. Most legitimate business communications do not require shortcut files as attachments.

Conclusion

CVE-2026-32202 is a textbook example of how incomplete patches create new attack surfaces. APT28's exploitation of this zero-click NTLM flaw demonstrates that state-sponsored actors move faster than patch cycles — the window between vulnerability disclosure and active exploitation has collapsed to days. For Saudi financial institutions bound by SAMA CSCC and NCA ECC requirements, the remediation deadline is not a suggestion. Patch today, block outbound SMB, and start the clock on NTLM deprecation before the next incomplete fix arrives.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and vulnerability remediation roadmap tailored to your Active Directory environment.