Microsoft's patch for a 0-day exploited by Russian spies fell short. Another Windows flaw is under attack

Second try's a charm?

by · The Register

Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are exploiting a zero-click Windows flaw that can expose sensitive information on vulnerable systems.

While we don't know who is attacking this one, tracked as CVE-2026-32202, we'd suggest betting it all on Putin's goons. The flaw stems from an incomplete fix for an earlier vulnerability found and abused by Russian spies a month before Redmond released a patch.

The new bug, CVE-2026-32202, is an authentication coercion flaw in Windows Shell that can expose sensitive information on vulnerable systems via network spoofing. "An attacker who successfully exploited the vulnerability could view some sensitive information," Redmond warned when it disclosed the CVE on April 14. 

On Monday, the Windows giant marked the bug as "exploitation detected." The next day, CISA added CVE-2026-32202 to its Known Exploited Vulnerabilities catalog, and set a May 12 deadline for federal agencies to fix the flaw.

The Register reached out to Microsoft about the scope of exploitation, who is responsible for the attacks, and what they are doing with the illicit access. We will update this story if we receive any response.

Microsoft credited Akamai senior security researcher Maor Dahan with finding and reporting CVE-2026-32202, and in Dahan's write-up, he says an incomplete patch for CVE-2026-21510 created the newer vuln.

Redmond attempted to patch CVE-2026-21510 in February. It was one of six actively exploited zero-days disclosed during that month's Patch Tuesday, and Akamai detected Russia's APT28 (also known as Fancy Bear) exploiting that security hole in January. 

According to Akamai, citing Ukraine's Computer Emergency Response Team, APT28 exploited CVE-2026-21510 in attacks against Ukraine and European Union countries. 

These attacks began with a phishing email, purporting to be from Ukraine's hydro-meteorological center, that contained a weaponized LNK file to exploit another vulnerability, CVE-2026-21513. By chaining CVE-2026-21513 with CVE-2026-21510, the Russian spies bypassed Microsoft security features including Defender SmartScreen and remotely executed malicious code on victims' computers.

Microsoft fixed both of these CVEs on February's Patch Tuesday.

However, "while Microsoft's fix successfully prevented the initial remote code execution (RCE) and SmartScreen bypass, it left behind a zero-click authentication coercion vulnerability," Dahan wrote, adding that he and his fellow Akamai bug hunters found CVE-2026-32202 while testing the February patches.

"While testing the patch, we noticed something interesting: The victim machine was still authenticating to the attacker's server," he said.

As Dahan explains, the security hole can be abused to send the victim's Net-NTLMv2 hash (authentication data) to the attacker, thus allowing the digital intruder to authenticate as the user, steal sensitive data, and snoop around on the victim's network.

"This gap between path resolution and trust verification left a zero-click credential theft vector via auto-parsed LNK files," he wrote. ®

Microsoft's Valentine's gift to admins: 6 exploited zero-day fixes: Roses are red, violets are blue ... now get patchingJessica Lyons, 10 Feb 2026Crime crew impersonates help desk, abuses Microsoft Teams to steal your data: Coming in cold with custom Snow malwareJessica Lyons, 25 Apr 2026Microsoft's massive Patch Tuesday: It's raining bugs: One CVE under attack, one already disclosed by angry bug hunter, and 163 moreJessica Lyons, 14 Apr 2026Ongoing supply-chain attack 'explicitly targeting' security, dev tools: Vendor confirms repo data exposure after Lapsus$ claims source code, secrets dumpJessica Lyons, 27 Apr 2026