URGENT: Microsoft's Incomplete Patch Creates a ZERO-CLICK Windows Exploit (CVE-2026-32202)

Описание: Fellow researchers, defenders, and system administrators: we are facing a critical, high-severity situation regarding CVE-2026-32202, a zero-click Windows Shell spoofing vulnerability currently under active exploitation by the Russian state-sponsored threat group APT28
. In the spirit of Full Disclosure, this technical debrief provides the immediate operational intelligence you need to protect your networks from silent credential coercion
.
In this video, I break down how Microsoft's February 2026 attempt to patch an initial exploit chain (CVE-2026-21510) was dangerously incomplete
. While Microsoft successfully blocked the execution of untrusted Control Panel (.CPL) objects at the end of the launch chain, they failed to account for earlier execution stages
. I will demonstrate the root cause: simply rendering a folder containing a weaponized Windows Shortcut (.LNK) file forces Windows Explorer to automatically extract an icon via CControlPanelFolder::GetUIObjectOf
. This completely bypasses user interaction, triggering a PathFileExistsW call that resolves an attacker-controlled UNC path and initiates a Server Message Block (SMB) connection
. This zero-click mechanism silently bleeds your Net-NTLMv2 hashes, leaving you wide open to NTLM relay attacks and offline password cracking
.
Waiting is not an option, and relying on the assumption that you are secure against remote code execution is a critical error
. Under CISA's Binding Operational Directive (BOD) 22-01, organizations face a mandatory remediation deadline of May 12, 2026
. If you cannot verify that the May 2026 patches are universally deployed, I will walk you through the immediate compensating controls you must implement today
. This includes mandatory network-level blocking of outbound SMB traffic (ports 445 and 139) at your perimeter and endpoint firewalls, and strict directives to disable NTLM authentication or enforce NTLM signing globally
. Finally, I will cover critical threat hunting telemetry, showing you how to audit Sysmon Event ID 7 for anomalous or unsigned DLLs loaded into Explorer.exe or shell32.dll to determine if your environment has already been breached. Protect your users now.

⚖️ Legal Disclaimer
Unauthorized testing of systems you do not own is illegal. This video is for educational purposes, security auditing, and defensive research only. The goal is to provide immediate mitigation strategies and advocate for Coordinated Vulnerability Disclosure (CVD). Stay ethical, stay legal.

© 2026 Cybertech79. All Rights Reserved.