Microsoft Shell Spoofing Zero-day Vulnerability

What is the Attack?

A newly disclosed vulnerability, CVE-2026-32202, has emerged due to an incomplete patch by Microsoft for a previously exploited remote code execution flaw (CVE-2026-21510). While the original update addressed both RCE and SmartScreen bypass, it failed to eliminate a residual zero-click NTLM authentication coercion issue. This allows attackers to silently force a victim system to authenticate against a malicious server without user interaction.

The threat activity has been linked to APT28 (also known as Fancy Bear / UAC-0001), which began exploiting the original vulnerability chain in December 2025, targeting organizations across Ukraine and the EU. Evidence confirms exploitation in the wild as early as January 2026, prior to Microsoft’s February Patch Tuesday release.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued remediation directives to federal agencies, citing confirmed zero-day exploitation involving CVE-2026-32202.

Vulnerability Chain Overview

The attack chain combines multiple flaws within crafted LNK files:

CVE-2026-21510 – Remote Code Execution (pre-patch)

CVE-2026-21513 – Malicious LNK file handling flaw

CVE-2026-32202 – Residual zero-click NTLM authentication coercion (post-patch)

What is the recommended Mitigation?

Mitigation & Recommendations

Apply the latest Microsoft patches addressing CVE-2026-32202 and related vulnerabilities
Disable or restrict NTLM authentication where possible
Implement SMB signing and enforce Extended Protection for Authentication (EPA)
Monitor for anomalous outbound authentication attempts (e.g., SMB/HTTP to untrusted hosts)
Block or inspect suspicious LNK file delivery vectors

Detection Opportunities

Outbound NTLM authentication attempts to unknown or external IPs
Suspicious LNK file execution or delivery patterns
Indicators tied to known APT28 infrastructure or tactics

What FortiGuard Coverage is available?

• FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS provides coverage to detect and block exploitation attempts targeting CVE-2026-32202.

Intrusion Prevention | FortiGuard Labs

• FortiGuard Antivirus & Behavior Detection: Protects against malicious payloads and post-exploitation activity, including detection of suspicious LNK file execution, abnormal authentication behavior, and attempts to coerce outbound NTLM authentication to attacker-controlled infrastructure.

• FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching, eliminating manual processes while reducing the attack surface for CVE-2026-21510, CVE-2026-21513, and CVE-2026-32202

.

Endpoint Vulnerability | FortiGuard Labs

Endpoint Vulnerability | FortiGuard Labs

Endpoint Vulnerability | FortiGuard Labs

• FortiGuard Incident Response: Organizations that suspect exposure to exploitation activity linked to APT28 or these vulnerabilities should engage FortiGuard Incident Response for rapid investigation, credential exposure assessment, containment, and remediation.

• FortiGuard Web Filtering: Blocks access to known malicious domains and attacker-controlled servers used for NTLM hash capture, payload delivery, and command-and-control communication

Microsoft Shell Spoofing Zero-day Vulnerability

Securonix Acquires Threat Intelligence Firm ThreatQuotient

LongNosedGoblin Caught Snooping on Asian Governments

Marks & Spencer Confirms Customer Data Stolen in Cyberattack

Commvault: Vulnerability Patch Works as Intended

Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation

3 SOC Challenges You Need to Solve Before 2026

Related