Microsoft’s Incomplete Patch Leaves Zero-Click Windows Flaw Active in Russian Attack Campaigns

Microsoft’s February 2026 patch for a critical Windows Shell vulnerability exploited by Russian intelligence failed to close a zero-click credential theft vector that remains under active attack, according to a joint advisory from Microsoft and CISA issued 29 April.

The incomplete fix represents a second-order patch failure that exposes systematic gaps in Microsoft’s Vulnerability remediation process. While the original patch blocked remote code execution, it left Windows systems silently leaking authentication credentials to attacker-controlled servers without any user interaction—a flaw security researchers at The Register discovered during routine patch testing.

CISA added the residual vulnerability (CVE-2026-32202) to its Known Exploited Vulnerabilities catalog on 29 April and ordered federal agencies to patch affected systems by 12 May under Binding Operational Directive 22-01. The 13-day deadline reflects the severity of ongoing exploitation and the technical ease with which attackers can weaponize the flaw.

How the Patch Failed

Akamai security researcher Maor Dahan identified the problem while validating Microsoft’s February patch. “While testing the patch, we noticed something interesting: The victim machine was still authenticating to the attacker’s server,” Dahan told The Register. The original CVE-2026-21510 vulnerability, rated 8.8 on the CVSS scale, allowed attackers to bypass Windows Defender SmartScreen and execute arbitrary code by exploiting flaws in how Windows Shell processes shortcut (.LNK) files.

Microsoft’s fix successfully blocked the remote code execution pathway and SmartScreen bypass. But it failed to address the underlying authentication coercion mechanism. When Windows encounters certain specially crafted shortcut files—even those blocked from executing—the operating system automatically initiates an NTLM authentication handshake with the attacker’s server specified in the file path. No user interaction required.

“This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files,” Dahan explained. The residual flaw, now tracked as CVE-2026-32202 with a CVSS score of 4.3, enables attackers to harvest NTLM password hashes from victims simply by persuading them to browse a directory containing a malicious shortcut file in Windows Explorer. From there, attackers can mount NTLM relay attacks against other network resources or attempt offline password cracking to enable lateral movement.

Active Exploitation in the Wild

Microsoft marked CVE-2026-32202 as under active exploitation on 27 April, two days before CISA’s catalog addition. While Microsoft has not attributed the current exploitation campaign, SecurityWeek reports that APT28—the same Russian military intelligence unit that exploited the original flaw—maintains infrastructure capable of weaponizing the credential theft vector.

The vulnerability affects all supported versions of Windows. Because credential theft occurs during normal file browsing operations, standard user awareness training offers limited protection. Attackers need only place a malicious shortcut file in a shared network directory, email attachment, or compromised website. When a user browses to the containing folder, Windows automatically processes the shortcut’s embedded path and transmits their password hash.

NTLM relay attacks allow adversaries to authenticate to other services using stolen hashes without cracking the underlying password. In enterprise environments with insufficient signing requirements on SMB or LDAP connections, attackers can pivot from a single credential theft to domain administrator access within minutes.

Patch Validation Under Scrutiny

The incomplete fix raises questions about Microsoft’s internal security validation processes. Akamai researchers discovered the residual flaw using standard patch testing procedures—monitoring network traffic from a system processing malicious shortcut files. That Microsoft’s own quality assurance failed to detect authentication leakage suggests gaps in automated testing coverage for protection mechanism bypasses.

Microsoft released a complete patch for CVE-2026-32202 in its April 2026 security update, three months after the initial February fix. The delay between the original patch and the discovery of its inadequacy created a window during which enterprises believed their systems were protected while remaining vulnerable to credential theft.

The lower CVSS score for the residual flaw reflects reduced direct impact—credential theft versus remote code execution. But in the context of APT28’s demonstrated capability to chain Windows vulnerabilities, stolen credentials provide an entry point for multi-stage attacks that can achieve comparable outcomes to direct RCE.

What to Watch

Enterprise security teams should prioritise deployment of Microsoft’s April patch for CVE-2026-32202 regardless of whether systems fall under federal mandate. Organisations should audit SMB and LDAP signing enforcement across their environments, as unsigned connections enable NTLM relay attacks even when passwords cannot be cracked offline.

Network monitoring for anomalous NTLM authentication attempts—particularly connections to external IP addresses or newly registered domains—can provide early warning of exploitation attempts. Given APT28’s historical focus on critical infrastructure and government networks, organisations in those sectors should assume targeting and accelerate remediation timelines.

The incident will likely prompt scrutiny of Microsoft’s patch validation procedures and disclosure timelines. Akamai disclosed CVE-2026-32202 to Microsoft on 14 April; the company took 13 days to confirm active exploitation and update its advisory. Whether that delay reflects detection challenges or coordination complexity remains unclear, but it left defenders operating without complete threat intelligence during an active campaign.