Microsoft’s April Windows fix left a zero-click credential theft hole

Microsoft’s April 2026 security updates quietly closed a more serious Windows problem than the label first suggested. The company patched CVE-2026-32202, a Windows Shell issue now flagged as actively exploited, after researchers at Akamai found that an earlier fix had left behind a path for zero-click credential theft.

This matters because the bug is not just another theoretical bypass. According to SecurityWeek’s report on Akamai’s findings, the issue can force a victim machine to authenticate to an attacker-controlled server without any user interaction. That turns what looked like a partially resolved security problem into a more dangerous credential-exposure scenario, especially in enterprise environments where NTLM-based attacks can still lead to lateral movement.

What actually went wrong

The chain starts with flaws Microsoft patched in February, including CVE-2026-21510 and CVE-2026-21513. Those bugs were already serious because they could be used with malicious shortcut and HTML files to bypass protections and help deliver remote code execution. But Akamai says Microsoft’s earlier remediation did not fully close the door.

Instead, the patch blocked the main remote-code-execution route while leaving an earlier stage in the process intact. When Windows Explorer renders a folder containing a malicious LNK file, it can still reach out to a remote server to fetch an icon over a UNC path. That network connection is enough to trigger an automatic NTLM authentication handshake. In practice, the victim can leak a Net-NTLMv2 hash to the attacker without clicking anything.

Why the zero-click angle matters

Credential theft bugs often get less attention than dramatic remote-code-execution headlines, but in many real intrusions they are just as useful. If an attacker can harvest NTLM material from a user or workstation automatically, that data may be used for relay attacks or offline cracking. In a corporate network, that can become the first step toward privilege escalation or movement into more sensitive systems.

The zero-click detail raises the severity of the operational risk. Security teams usually train users not to open suspicious attachments or run unknown files. That guidance is less helpful when the act of displaying a malicious shortcut in Explorer may be enough to start the leak.

APT28 adds geopolitical weight

Akamai linked the broader exploitation chain to APT28, the Russia-linked group also known as Fancy Bear, Forest Blizzard, GruesomeLarch, and Sofacy. According to the research cited by SecurityWeek, the campaign likely hit targets in Ukraine and European Union countries in December 2025. That gives the vulnerability more significance than a lab-only discovery. It appears tied to a real espionage context with a capable threat actor.

Microsoft’s advisory now marks CVE-2026-32202 as exploited, even though the company has not publicly detailed the attacks. That kind of label usually tells defenders something important on its own: patching should not be treated as routine backlog work here.

What defenders should do now

The first step is obvious. Organizations should make sure the April 2026 Windows updates covering CVE-2026-32202 are fully deployed. But this is also a reminder to review how much exposure still exists around NTLM, shortcut handling, and inbound file flows. Environments that can reduce or segment NTLM usage, harden SMB pathways, and restrict untrusted shortcut delivery will be in a better position if similar bugs surface again.

Teams should also pay attention to any signs of suspicious outbound authentication traffic and unusual SMB connections, especially tied to Explorer activity or file shares that should not be contacting outside systems. The deeper lesson is that incomplete fixes can be almost as dangerous as the original flaw when attackers already understand the code path.

As first reported by SecurityWeek, this is one of those Windows stories where the patch itself is only half the news. The more important point is that a familiar security boundary still proved leaky, and active attackers appear to have known it before many defenders did.