Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Home/CyberSecurity News/Critical Windows SmartScreen Bug (CVE-2024-XXXX) Lets Attackers Bypass Defender
CyberSecurity News

Critical Windows SmartScreen Bug (CVE-2024-XXXX) Lets Attackers Bypass Defender

Key Takeaways A new zero-click authentication coercion vulnerability, CVE-2026-32202, has been discovered in Windows SmartScreen. This flaw is an incomplete fix for a previous Windows Shell bypass...

Sarah simpson
Sarah simpson
April 28, 2026 4 Min Read
43 0

Key Takeaways

  • A new zero-click authentication coercion vulnerability, CVE-2026-32202, has been discovered in Windows SmartScreen.
  • This flaw is an incomplete fix for a previous Windows Shell bypass and allows attackers to obtain NTLMv2 hashes without user interaction.
  • The APT28 threat group exploited a related vulnerability in targeted attacks against Ukraine and EU countries in December 2025.
  • Microsoft released a patch for CVE-2026-32202 as part of its April 2026 Patch Tuesday updates.

Critical Windows SmartScreen Bypass Enables Zero-Click NTLM Theft

A significant security vulnerability, identified as CVE-2026-32202, has been found in Windows SmartScreen, enabling zero-click authentication coercion. This flaw stems from an incomplete patch for a previously addressed security feature bypass within the Windows Shell. Microsoft has confirmed active exploitation of this vulnerability and issued a fix in its April 2026 Patch Tuesday release.

Table Of Content

  • Key Takeaways
  • Critical Windows SmartScreen Bypass Enables Zero-Click NTLM Theft
  • Exploitation of the Windows Shell 0-Click Vulnerability
  • The Incomplete Patch and CVE-2026-32202
  • What You Should Do

The discovery follows a targeted cyberattack campaign launched by the APT28 threat actor, also known as Fancy Bear, Forest Blizzard, or Pawn Storm, in December 2025. According to CERT-UA, these attacks focused on Ukraine and several European Union nations, leveraging weaponized LNK (Windows Shortcut) files.

Akamai researchers detected this campaign in January 2026. Their investigation revealed that the infection vector relied on a chain of two vulnerabilities: CVE-2026-21513, an MSHTML exploit, and CVE-2026-21510, a Windows Shell SmartScreen bypass with a CVSS score of 8.8.

Exploitation of the Windows Shell 0-Click Vulnerability

The core of the attack mechanism exploits the Windows Shell namespace parsing pipeline. APT28 embedded a malicious LinkTargetIDList structure within an LNK file. This binary IDList, when parsed and rendered by Windows Explorer, mimics the display of Control Panel items.

The IDList contained three crucial elements: a CLSID representing the Control Panel COM object, a second entry for “all control panel items,” and a third _IDCONTROLW structure. This final structure embedded a UNC path pointing to a remote server controlled by the attacker.

When a victim’s explorer.exe processed this specially crafted LNK file, it resolved the malicious path as:

::{26EE0668-A00A-44D7-9371-BEB064C98683}{GENERATED GUID OF THE UNC PATH}

This action caused Windows to load a Dynamic Link Library (DLL) from the attacker-controlled server, treating it as a Control Panel (CPL) component. Crucially, this process bypassed both SmartScreen and Mark of the Web (MotW) verification, allowing the malicious CPL to execute without warning.

The Incomplete Patch and CVE-2026-32202

Microsoft initially addressed CVE-2026-21510 in its February 2026 Patch Tuesday updates. The fix introduced a new COM object called ControlPanelLinkSite, designed to integrate the CPL launch path with ShellExecute’s trust verification pipeline.

This patch added a new fMask bit (0x08000000) that compelled the ShellExecute pipeline to query IVerifyingTrust. This action, in turn, triggered SmartScreen verification of the CPL file’s digital signature and origin zone before execution.

Using their PatchDiff-AI analysis tool, Akamai confirmed that this fix successfully blocked the original Remote Code Execution (RCE) vector. Unsigned or remote CPLs could no longer be executed silently.

However, Akamai researchers made a critical observation: even after applying the patch, the victim’s machine was still authenticating to the attacker’s server. The trust verification introduced by Microsoft occurs during the ShellExecuteExW call, at the very end of the CPL launch chain. A much earlier trigger exists within CControlPanelFolder::GetUIObjectOf, the function Windows Explorer calls to extract an icon for the CPL IDList item when rendering a folder’s contents.

Deep within this function’s call chain, a PathFileExistsW call within GetModuleMapped causes Windows to resolve the UNC path. This action initiates an SMB connection to the attacker’s server the moment a folder containing the malicious LNK file is opened, requiring no user interaction.

When the UNC path resolves (e.g., \attacker.comsharepayload.cpl), Windows automatically triggers an NTLM authentication handshake, transmitting the victim’s Net-NTLMv2 hash to the attacker’s server. This credential can then be used for NTLM relay attacks or offline password cracking, all without any user interaction beyond navigating to the compromised folder.

This residual flaw was classified as CVE-2026-32202 (CVSS: 4.3), officially described as a “protection mechanism failure in Windows Shell” that enables an unauthorized attacker to perform spoofing over a network.

This incident highlights that incomplete patches can inadvertently create secondary attack surfaces. The gap between path resolution and trust verification in the Windows Shell pipeline, initially exploited by APT28 and subsequently uncovered by Akamai, underscores the importance of comprehensive patch analysis and post-fix regression testing before a vulnerability is considered fully remediated.

What You Should Do

  • Apply Microsoft’s April 2026 Patch Tuesday updates immediately to remediate CVE-2026-32202.
  • Monitor for outbound SMB traffic to external hosts within your network.
  • Enforce NTLMv2 restrictions or transition to Kerberos-only authentication where feasible to mitigate NTLM relay and credential theft risks.
  • Given confirmed active exploitation, treat any unpatched systems as high-priority exposure, especially in environments where LNK files are frequently shared or traverse network drives.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Silver Fox Campaign Delivers Malware via Fake Tax Audits, Software Updates

Next Post

WhatsApp Tests E2EE Cloud Backups, Bypassing Google Drive and iCloud

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us