CVE-2026-32202

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to April 2026

Description A protection mechanism failure in the Windows Shell allows an unauthorized remote attacker to perform spoofing. The issue occurs because Windows Explorer automatically attempts to fetch icons via UNC paths, triggering an NTLM handshake. This allows a malicious Windows shortcut or LNK path to initiate an automatic SMB authentication attempt, exposing the victim's Net-NTLMv2 hash for potential relay or offline cracking without any user interaction. This flaw has been actively exploited by APT28 (also known as Fancy Bear) in attacks targeting Ukraine and European nations.

Recommendations Update Microsoft Windows to the version released in April 2026.