Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

Key Points:

• CVE-2026-32202 is a high-severity spoofing vulnerability in Windows Shell that is actively being exploited, allowing unauthorized access to sensitive information.
• The vulnerability affects Windows systems, enabling attackers to exploit it via malicious files executed by victims, leading to potential credential theft through NTLM authentication over SMB connections.
• Immediate patching is recommended for all affected systems, along with monitoring for unusual SMB traffic and implementing network segmentation to limit exposure.

Technical Details: CVE-2026-32202 has a CVSS score of 4.3 and allows attackers to perform spoofing without user interaction. It stems from an incomplete patch for CVE-2026-21510, which was previously weaponized by the APT28 group.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1087.001 - Account Discovery: Local Account (Credential Access)
• T1557.001 - Credential Dumping: NTLM (Credential Access)

IOCs Mentioned:

• UNC path: '\attacker.com\share\payload.cpl'