APT28's Zero-Day Got a Patch — Then Researchers Found It Left a Zero-Click Hole Open
Microsoft's February patch for a Windows zero-day actively exploited by Russia's APT28 blocked the remote code execution path — but left behind a zero-click authentication coercion flaw. Akamai researchers found it while testing the fix. That flaw is now CVE-2026-32202, confirmed exploited in the wild, and added to CISA's KEV catalog.
WASHINGTON, D.C. — When Microsoft patched CVE-2026-21510 in February 2026 — a Windows Shell vulnerability confirmed exploited by Russia's APT28 (Fancy Bear) in attacks against Ukraine and EU countries — researchers at Akamai ran a patch differential analysis to verify the fix held. It did not fully hold. While the remote code execution path was closed, the February patch left the victim machine still authenticating to the attacker's server under certain conditions, creating a zero-click credential theft vector. Akamai disclosed the residual flaw to Microsoft under responsible disclosure, which issued a fix in the April 2026 Patch Tuesday cycle as CVE-2026-32202. Within days, Microsoft marked it as exploited in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog on April 28, 2026.
| Vulnerability Chain Overview | |
|---|---|
| Field | Details |
| Original CVE | CVE-2026-21510 — Windows Shell security feature bypass; exploited by APT28 in LNK-based attacks on Ukraine and EU countries (December 2025) |
| Chained CVE | CVE-2026-21513 — MSHTML security feature bypass; chained with CVE-2026-21510 in the same weaponized LNK file |
| February Patch | Microsoft patched CVE-2026-21510 and CVE-2026-21513 in February 2026 Patch Tuesday — closed the RCE and SmartScreen bypass path |
| Residual Flaw | CVE-2026-32202 — victim machine continued authenticating to attacker's server; zero-click Net-NTLMv2 hash theft via auto-parsed LNK files |
| CVSS Score | 4.3 Medium — low complexity, network attack vector, no user interaction required |
| April Fix | Patched in April 2026 Patch Tuesday; marked exploited in wild on April 27; added to CISA KEV April 28 |
| Federal Deadline | May 12, 2026 — FCEB agencies required to patch under BOD 22-01 |
What Happened
The Original APT28 Exploit Chain
According to Ukraine's CERT-UA, APT28 — the GRU-linked Russian threat group also tracked as Fancy Bear and Forest Blizzard — launched a cyberattack campaign targeting Ukraine and several EU countries beginning in December 2025. The campaign used weaponized LNK shortcut files delivered via phishing emails purporting to be from Ukraine's hydro-meteorological center. The LNK files chained two vulnerabilities: CVE-2026-21513, an MSHTML security feature bypass, and CVE-2026-21510, a Windows Shell flaw. Together they allowed the attackers to bypass Microsoft Defender SmartScreen and remotely execute attacker-controlled code stored on a remote server — without the victim needing to do anything beyond opening the shortcut file.
Microsoft patched both CVEs in the February 2026 Patch Tuesday cycle, flagging CVE-2026-21510 as exploited in the wild at the time of disclosure. Akamai, which had detected the APT28 exploitation in January 2026, deliberately withheld details of a second issue in the chain it had identified during patch analysis — to allow responsible disclosure to proceed.
The Incomplete Fix
When Akamai senior security researcher Maor Dahan used PatchDiff-AI to analyze the February patches, something unexpected appeared. While the RCE and SmartScreen bypass paths were closed — Microsoft had enforced SmartScreen scanning of CPL files loaded via the shell namespace parsing mechanism — the victim machine was still authenticating to the attacker's server. As Dahan described it: "The victim machine was still authenticating to the attacker's server." The gap existed between path resolution and trust verification. The Windows Shell parser resolved the LNK file's UNC path before the trust verification step fired, meaning the authentication handshake had already occurred before SmartScreen could intervene. This left a zero-click Net-NTLMv2 hash exfiltration vector intact even after the February patch was applied.
Akamai disclosed the residual flaw to Microsoft. The result was CVE-2026-32202, patched in April 2026. This is now the second consecutive month in which an incomplete Windows patch has spawned a new actively exploited CVE — a pattern worth tracking. The April 2026 Patch Tuesday cycle also addressed CVE-2026-32202 alongside 166 other vulnerabilities, including a separately disclosed SharePoint zero-day.
Scope and Impact
CVE-2026-32202 allows an unauthenticated attacker to steal a victim's Net-NTLMv2 authentication hash via a malicious LNK file — with no user interaction required beyond the file being parsed by Windows Shell. The stolen hash can then be used in pass-the-hash or relay attacks to authenticate as the victim, access sensitive network resources, and pivot laterally across enterprise environments. As previously reported, CISA added CVE-2026-32202 to its KEV catalog on April 28 alongside the ConnectWise ScreenConnect flaw, setting a May 12 federal remediation deadline.
The attack vector is network-based with no privilege requirement and no user interaction, placing it in a category of particular concern for enterprise Windows environments where users routinely process files from network shares, email attachments, or downloaded archives — all of which can contain LNK files. Privileged user workstations carry the highest risk, as credential theft from an administrator account enables domain-level lateral movement.
| Attack Timeline | |
|---|---|
| Date | Event |
| December 2025 | APT28 begins exploiting CVE-2026-21510 + CVE-2026-21513 chain against Ukraine and EU countries |
| January 2026 | Akamai detects the APT28 exploitation chain |
| February 2026 | Microsoft patches CVE-2026-21510 and CVE-2026-21513 in Patch Tuesday; Akamai discovers incomplete fix during patch differential analysis |
| April 14, 2026 | Microsoft patches CVE-2026-32202 in April Patch Tuesday |
| April 27, 2026 | Microsoft marks CVE-2026-32202 as exploited in the wild |
| April 28, 2026 | CISA adds CVE-2026-32202 to KEV catalog; May 12 federal remediation deadline set |
Response and Attribution
Microsoft has released a fix for CVE-2026-32202 as part of the April 2026 Patch Tuesday cycle. Administrators should ensure April cumulative updates have been applied to all supported Windows versions. Microsoft has not detailed the specific actors observed exploiting CVE-2026-32202, but Akamai's analysis notes that given the vulnerability's origin — an incomplete patch for a CVE actively exploited by APT28 — the same or affiliated actors are the most likely operators of in-the-wild exploitation.
Akamai's full technical write-up, including the root cause analysis, patch differential methodology, and exploitation flow diagram, is publicly available. For organizations that have not yet applied April Patch Tuesday updates, this should be treated as an active incident risk rather than a scheduled maintenance item.
The CyberSignal Analysis
Signal 01 — Incomplete Patches Are a Pattern, Not an Anomaly
The emergence of CVE-2026-32202 from an incomplete fix for CVE-2026-21510 reflects a structural challenge in modern patch development: complex attack chains involving multiple components can be partially mitigated while leaving adjacent attack surfaces open. This is the second consecutive month where a Microsoft patch has generated a follow-on exploited CVE. Security teams should build patch validation into their processes — not just applying updates, but verifying through independent analysis that the exploited attack path has been fully closed. Understanding how advanced persistent threats operate helps teams understand why partial mitigations are insufficient against patient, well-resourced adversaries.
Signal 02 — Zero-Click Credential Theft Demands Priority Treatment
The zero-click nature of CVE-2026-32202 places it in a higher practical risk tier than its CVSS 4.3 Medium score suggests. No user interaction means no training, awareness, or behavioral control can mitigate this vulnerability — only patching does. Net-NTLMv2 relay attacks using stolen hashes are a well-understood and frequently used lateral movement technique. An unpatched Windows endpoint with a privileged user account is a direct path from initial file delivery to domain-level compromise.
Signal 03 — APT28 Is Actively Probing Windows LNK Handling
The consistency of APT28's focus on Windows Shell LNK file parsing — across CVE-2026-21510, CVE-2026-21513, and the conditions that produced CVE-2026-32202 — suggests this attack surface remains a productive hunting ground for Russian intelligence. Organizations with geopolitical exposure to Russian state-sponsored activity, particularly those operating in NATO member states, EU institutions, or defense supply chains, should treat any incomplete patching of LNK-related vulnerabilities as a priority escalation. Russia's escalating campaign against European targets makes this threat landscape directly relevant to a broad enterprise audience.
