Incomplete Windows Patch Opens Door to Zero-Click Attacks
An incomplete patch for a Windows SmartScreen and Windows Shell security prompts bypass led to a new vulnerability (CVE-2026-32202) enabling zero-click attacks that steal credentials via auto-parsed LNK files. This vulnerability was exploited by the Russia-linked APT28 group in attacks targeting Ukraine and EU countries. The initial vulnerability (CVE-2026-21510), patched in February 2026, allowed remote code execution if a user opened a malicious shortcut file. However, the patch was incomplete, allowing authentication coercion without user interaction. Microsoft released fixes for the new vulnerability in April 2026. The attacks involved weaponized LNK files chaining multiple vulnerabilities to bypass Windows security features and achieve remote code execution and credential theft.
AI Analysis
Technical Summary
The threat involves an incomplete patch for CVE-2026-21510, a Windows vulnerability affecting SmartScreen and Windows Shell security prompts, which was initially exploited by APT28 for remote code execution via malicious shortcut files. The incomplete patch led to a new authentication coercion vulnerability, CVE-2026-32202, allowing zero-click credential theft through auto-parsed LNK files. These vulnerabilities were exploited in a campaign against Ukraine and EU countries, leveraging Windows shell namespace parsing to load DLLs from remote servers without proper validation. The April 2026 Microsoft patches addressed CVE-2026-32202, closing the zero-click attack vector. The attack chain involved bypassing SmartScreen verification and triggering automatic NTLM authentication handshakes, exposing Net-NTLMv2 hashes for potential relay or offline cracking attacks.
Potential Impact
Exploitation of these vulnerabilities enables remote code execution and credential theft without user interaction, allowing attackers to execute arbitrary code and steal authentication hashes. This facilitates further attacks such as NTLM relay and offline password cracking. The threat actor APT28 used these vulnerabilities in targeted attacks against Ukraine and EU countries. The incomplete patch initially left systems vulnerable to zero-click attacks, increasing the risk of stealthy compromise and credential exposure.
Mitigation Recommendations
Microsoft released official patches for CVE-2026-32202 in April 2026, addressing the incomplete patch issue and mitigating the zero-click attack vector. Systems should be updated with the April 2026 security patches to fully remediate these vulnerabilities. No additional mitigation actions are indicated beyond applying the official fixes.
Affected Countries
Ukraine, European Union
Incomplete Windows Patch Opens Door to Zero-Click Attacks
Description
An incomplete patch for a Windows SmartScreen and Windows Shell security prompts bypass led to a new vulnerability (CVE-2026-32202) enabling zero-click attacks that steal credentials via auto-parsed LNK files. This vulnerability was exploited by the Russia-linked APT28 group in attacks targeting Ukraine and EU countries. The initial vulnerability (CVE-2026-21510), patched in February 2026, allowed remote code execution if a user opened a malicious shortcut file. However, the patch was incomplete, allowing authentication coercion without user interaction. Microsoft released fixes for the new vulnerability in April 2026. The attacks involved weaponized LNK files chaining multiple vulnerabilities to bypass Windows security features and achieve remote code execution and credential theft.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The threat involves an incomplete patch for CVE-2026-21510, a Windows vulnerability affecting SmartScreen and Windows Shell security prompts, which was initially exploited by APT28 for remote code execution via malicious shortcut files. The incomplete patch led to a new authentication coercion vulnerability, CVE-2026-32202, allowing zero-click credential theft through auto-parsed LNK files. These vulnerabilities were exploited in a campaign against Ukraine and EU countries, leveraging Windows shell namespace parsing to load DLLs from remote servers without proper validation. The April 2026 Microsoft patches addressed CVE-2026-32202, closing the zero-click attack vector. The attack chain involved bypassing SmartScreen verification and triggering automatic NTLM authentication handshakes, exposing Net-NTLMv2 hashes for potential relay or offline cracking attacks.
Potential Impact
Exploitation of these vulnerabilities enables remote code execution and credential theft without user interaction, allowing attackers to execute arbitrary code and steal authentication hashes. This facilitates further attacks such as NTLM relay and offline password cracking. The threat actor APT28 used these vulnerabilities in targeted attacks against Ukraine and EU countries. The incomplete patch initially left systems vulnerable to zero-click attacks, increasing the risk of stealthy compromise and credential exposure.
Mitigation Recommendations
Microsoft released official patches for CVE-2026-32202 in April 2026, addressing the incomplete patch issue and mitigating the zero-click attack vector. Systems should be updated with the April 2026 security patches to fully remediate these vulnerabilities. No additional mitigation actions are indicated beyond applying the official fixes.
Affected Countries
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/incomplete-windows-patch-opens-door-to-zero-click-attacks/","fetched":true,"fetchedAt":"2026-04-27T13:15:05.146Z","wordCount":1156}
Threat ID: 69ef6159ba26a39fba26e288
Added to database: 4/27/2026, 1:15:05 PM
Last enriched: 4/27/2026, 1:15:17 PM
Last updated: 4/28/2026, 1:46:10 AM
Views: 28
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.