top of page
Search

APT28 Is Live-Exploiting CVE-2026-32202 — Zero-Click NTLMv2 Leak via LNK

  • Writer: Patrick Duggan
    Patrick Duggan
  • a few seconds ago
  • 4 min read

# APT28 Is Live-Exploiting CVE-2026-32202 — Zero-Click NTLMv2 Leak via LNK


Microsoft confirmed active exploitation of CVE-2026-32202 in a revised security advisory on April 27, 2026. The vulnerability is a Windows Shell spoofing flaw with a zero-click credential-theft vector: a user does not have to execute a malicious file. They only have to open the folder containing the shortcut, and the Windows Shell automatically initiates an SMB authentication handshake that delivers their Net-NTLMv2 hash to an attacker-controlled SMB host.


The CVSS rating is 4.3. That dramatically under-prices the actual operational impact, and our pipeline has been flagging this gap for two weeks.


What CVSS 4.3 hides



CVSS 4.3 describes the technical surface of the vulnerability — confidentiality impact, no-user-interaction-required-for-the-trigger, network-attack-vector. It does not describe what the captured Net-NTLMv2 hash enables once an attacker holds it.


The hash is a key. Once captured, the attacker has two paths:


  • NTLM relay: pass the hash live against a target that accepts NTLM authentication, including SMB shares, RDP gateways, Exchange, AD CS endpoints, and a long tail of legacy Windows services. Successful relay grants authenticated access to whatever the relayed identity owns.

  • Offline cracking: brute-force or dictionary-attack the hash to recover the plaintext password. Modern GPU rigs crack typical Windows passwords (8-12 characters with the usual organizational pattern) in hours to days. Once cracked, the password works for every SSO endpoint that user touches.


A "spoofing vulnerability with confidentiality impact" sounds like a polite information disclosure. In practice, it is a zero-click identity compromise that produces lateral movement, privilege escalation, and persistence. The CVSS framing under-prices that gap by an order of magnitude.


Microsoft patched once, didn't fully fix



The original patch for CVE-2026-32202 was released April 14, 2026, without an "exploited in the wild" tag. Security teams treated it as a standard cycle item — patch with the rest of Patch Tuesday, no urgency.


That was a mistake driven by Microsoft's own initial labeling. The vulnerability is the residual from an incomplete patch for CVE-2026-21510, which had previously been chained with CVE-2026-21513 by APT28 (Fancy Bear, Russian GRU Unit 26165) for weaponized LNK files that bypassed Windows security features. The April 14 patch closed the original vector; it did not close the alternative path the actor had already pivoted to. APT28 was already inside that gap.


On April 27, Microsoft updated the advisory to correct the exploitability index and confirm active exploitation. The two-week silence between patch and exploitation acknowledgment cost defenders a window during which APT28 was operational against an unmarked CVE.


The attribution context



APT28 / Fancy Bear is the GRU unit consistently named in Russian state-aligned offensive operations against Western targets — DNC 2016, German Bundestag 2015, OPCW 2018, World Anti-Doping Agency 2016, and continuous low-volume tradecraft against NATO, EU, and Eastern European government and military targets. Their toolset has pivoted across many CVEs over the years; the 2026-21510 → 2026-21513 → 2026-32202 chain is consistent with their pattern of finding the residual surface left after Microsoft patches a previously-exploited primitive.


Our adversaries index has APT28 with a long profile. The current LNK-NTLMv2 chain is consistent with their established methodology of long-running, low-volume, high-value credential harvesting against intelligence-tier targets.


What defenders should be doing today



The mitigations for CVE-2026-32202 specifically:


  • Apply the April 14 patch immediately if you haven't (this addresses the original CVE-2026-21510 surface)

  • Apply whatever post-April-27 fix Microsoft ships for the residual — this advisory is in flux; check for updates daily for the next two weeks

  • Block outbound SMB at network egress — port 445 outbound to non-corporate destinations is the actual exfiltration channel for the NTLMv2 hash. Defenders who block outbound 445 are immune to this whole class of attack regardless of patch status

  • Disable LM and NTLMv1 entirely if not already — this doesn't fix NTLMv2 but it eliminates the easier downgrade paths

  • Enable SMB signing on all endpoints — relay attacks fail when signing is required

  • Hunt for outbound 445 traffic to unexpected destinations in the past two weeks — APT28 has been operational against this for at least that long; if you've been hit, evidence is in egress logs

  • Audit privileged accounts that may have authenticated against malicious SMB hosts — those are the candidates for full credential rotation regardless of detection


The broader frame



The pattern of "vendor patches CVE-N without acknowledging exploitation, exploitation continues against residual surface, vendor patches CVE-N+1 once forced to acknowledge" is not unique to Microsoft. It is the structural cost of vendor incident-response processes that gate "exploited in the wild" tags on confirmation thresholds higher than the threat-intel reality.


CrowdStrike has the same pattern. Cisco has the same pattern. Fortinet has it badly. Adobe has it consistently. The right defender response is to treat any advisory describing a credential-theft primitive on a network-reachable surface as if it were already exploited regardless of the vendor's tag, because the cost of urgent patch-and-mitigate is bounded and the cost of a two-week silent-exploitation window is not.


What our pipeline carries



Our iocs index has 929 documents touching CVE-2026-32202 and the related sister-CVE chain (CVE-2026-32201, CVE-2026-21510, CVE-2026-21513) including endpoint targets and infrastructure indicators tied to the APT28 chain. The github-hunt cron is searching for fresh PoC publications continuously — none flagged for 32202 specifically as of this writing, but the chain's predecessors have public PoCs that adapt cleanly.


Our STIX feed at https://analytics.dugganusa.com/api/v1/stix-feed (free tier, register for an API key) carries the APT28 actor profile and the CVE chain's infrastructure as it accumulates. Filter on actor=APT28 or on the relevant CVE IDs once you've registered.


The takeaway for defenders: do not wait for "exploited in the wild" to mean what it sounds like it means. By the time the tag flips, the actor has already had their window. Patch the residual surface as if exploitation is happening, because it usually is.





Her name was Renee Nicole Good.


His name was Alex Jeffery Pretti.

 
 
 
bottom of page