← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-32202 · CWE-693 · Disclosed 2026-04-14

Protection mechanism failure in Windows Shell

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a pickpocket in the lobby, not a burglar at the vault

CVE-2026-32202 is a Windows Shell protection failure where a crafted LNK can make Explorer resolve a remote UNC path while rendering folder contents, triggering an outbound SMB connection and automatic NTLM authentication. In practice, that means a user can leak a Net-NTLMv2 hash just by browsing to a folder containing the malicious shortcut, without needing full execution of attacker code. Affected builds span broad Windows client and server populations, including examples in NVD such as Windows 10 1607 < 10.0.14393.9060, Windows 10 1809 < 10.0.17763.8644, Windows 10 21H2 < 10.0.19044.7184, Windows 10 22H2 < 10.0.19045.7184, Windows 11 23H2 < 10.0.22631.6936, Windows 11 24H2 < 10.0.26100.8246, Windows Server 2016 < 10.0.14393.9060, Windows Server 2019 < 10.0.17763.8644, Windows Server 2022 < 10.0.20348.5020, Windows Server 2022 23H2 < 10.0.25398.2274, and Windows Server 2025 < 10.0.26100.32690.

Microsoft's 4.3 MEDIUM score is technically defensible if you grade only the first primitive: spoofing with confidentiality impact and required user interaction. In the field, that undershoots reality because the reachable population is enormous, the interaction threshold is low enough to behave like near-zero-click in Explorer, the stolen hash is immediately useful for relay or cracking, and CISA added it to KEV on 2026-04-28, confirming real exploitation. This is not a CRITICAL worm or straight-to-RCE event, but it is absolutely patch-priority Windows hygiene for enterprise fleets.

"KEV-listed Windows credential theft at scale: not RCE, but far too operationally useful to leave in MEDIUM."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a weaponized shortcut

The attacker sends or plants a malicious LNK that references a remote UNC path for icon or object resolution. Common delivery is phishing, chat, removable media, WebDAV/SMB share placement, or a ZIP download that lands on disk. The payload does not need to launch malware immediately; it only needs Explorer to touch the shortcut metadata path.
Conditions required:
  • Attacker can place a crafted LNK where a target user may browse it
  • Target system handles the file with normal Windows Shell behavior
Where this breaks in practice:
  • Email gateways often strip or detonate shortcut-bearing archives
  • Modern awareness controls reduce direct LNK attachment success
  • Attack still needs a delivery path into the user workflow
Detection/coverage: Commodity mail security and sandboxing often catch raw LNK delivery, but detection drops when the file is staged internally, unpacked from archives, or delivered via collaboration shares.
STEP 02

Explorer renders the folder

When the victim opens the folder, Explorer renders its contents and Shell icon extraction/parsing touches the remote path before trust verification later in the chain. Akamai's analysis ties this to the incomplete patch for CVE-2026-21510, leaving the SMB/authentication coercion behavior intact even when the original RCE path was blocked.
Conditions required:
  • User browses to the folder or location containing the LNK
  • Explorer preview/rendering is allowed
Where this breaks in practice:
  • The user still has to reach the folder view, so this is not wormable internet spray-and-pray
  • Some hardened environments suppress preview behavior or restrict shortcut handling
Detection/coverage: EDR can sometimes correlate explorer.exe or shell32.dll activity with immediate outbound SMB/WebDAV connections, but many scanners only infer exposure from patch level rather than runtime behavior.
STEP 03

Windows performs outbound authentication

Resolving the UNC path initiates an SMB connection to attacker infrastructure, which triggers an automatic NTLM authentication handshake. The attacker captures the victim's Net-NTLMv2 hash without needing local code execution on the endpoint.
Conditions required:
  • Outbound SMB or equivalent path to attacker-controlled infrastructure is possible
  • NTLM authentication is still enabled in the environment
Where this breaks in practice:
  • Perimeter egress controls that block outbound SMB materially blunt this step
  • SMB signing, NTLM restrictions, and network segmentation reduce follow-on value
  • Attackers need reachable infrastructure and successful network egress
Detection/coverage: Network telemetry is your friend here: outbound 445/TCP from user workstations to internet or untrusted zones is high-signal. Many EDR products also flag unexpected SMB sessions initiated by explorer.exe.
STEP 04

Relay or crack the hash

Captured Net-NTLMv2 can be relayed to other internal services or cracked offline, depending on protocol protections and password quality. This is the point where a 'spoofing' bug turns into credential abuse, lateral movement, and privilege expansion.
Conditions required:
  • Usable relay targets exist or password cracking succeeds
  • Internal services accept NTLM-based authentication paths
Where this breaks in practice:
  • SMB signing, EPA, Kerberos preference, and service hardening can break relay
  • Long random passwords or protected admin tiers reduce post-capture value
  • This step often implies the attacker already has network adjacency or a second foothold
Detection/coverage: Identity telemetry, NTLM audit logs, anomalous authentication chains, and lateral movement analytics are better detectors here than simple vuln scanning.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusConfirmed exploited. NVD records CISA KEV status with Date Added: 2026-04-28 and Due Date: 2026-05-12, which is the strongest practical signal that this is not hypothetical.
KEV statusYes. CISA lists it as Microsoft Windows Protection Mechanism Failure Vulnerability; KEV is the main reason this cannot be treated like an ordinary medium.
Proof-of-concept / tradecraftAkamai published root-cause analysis and exploit mechanics; Vicarius published detection and mitigation scripts; third-party aggregators report public GitHub PoCs. Treat weaponization as available enough for defenders' purposes.
EPSS0.56822 from the provided intel block. FIRST documents EPSS as a daily exploitation-probability estimate; in this case active exploitation evidence should supersede EPSS rather than compete with it.
CVSS vector, interpretedCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N means remote, no privileges, but user interaction required and only direct confidentiality loss. The miss is that Explorer folder rendering makes the interaction bar much lower than the word *execute* suggests.
Affected versionsBroad Windows footprint. Examples from NVD/UpGuard include Windows 10 1607/1809/21H2/22H2, Windows 11 23H2/24H2, and Windows Server 2016/2019/2022/2022 23H2/2025, plus Windows Server 2012/2012 R2 entries in the CPE set.
Fixed versionsRepresentative fixed-or-later builds include Windows 10 22H2 10.0.19045.7184, Windows 11 23H2 10.0.22631.6936, Windows 11 24H2 10.0.26100.8246, Windows Server 2022 10.0.20348.5020, Windows Server 2022 23H2 10.0.25398.2274, and Windows Server 2025 10.0.26100.32690.
Scanning / exposure realityThis is not a Shodan/Censys-style exposed service bug. Internet census data is the wrong lens; exposure is driven by user endpoints, file delivery paths, outbound SMB reachability, and continued NTLM use.
Disclosure timelineDisclosed by Microsoft on 2026-04-14; Akamai published the incomplete-patch analysis on 2026-04-23; KEV addition landed on 2026-04-28.
Researcher / reporting orgRoot-cause analysis and public technical details were published by Maor Dahan of Akamai.
04 · The Call

noisgate verdict.

Final Verdict
UPGRADED to HIGH (8.1/10)

The decisive amplifier is confirmed active exploitation against an extremely common platform, combined with a very low interaction threshold that can trigger on normal Explorer browsing. The decisive brake is that the bug usually needs a delivery step plus outbound authentication and then a second-stage credential-abuse path; it is dangerous, but it is not direct unauthenticated RCE.

HIGH Active exploitation / KEV status
HIGH Technical behavior of the Shell-to-SMB hash leak path
MEDIUM Typical post-capture blast radius across varied enterprise NTLM hardening levels

Why this verdict

  • Up from vendor MEDIUM because KEV beats CVSS. Once CISA adds a Windows client/server bug to KEV, the scoring conversation changes from *could this be abused?* to *attackers are already using it*.
  • Huge reachable population. This rides Windows Explorer behavior on ordinary endpoints and servers, not some niche role or rare optional feature; that keeps the baseline high.
  • Near-zero-click user interaction. The CVSS UI:R tag is technically true, but browsing a folder is much weaker friction than opening a macro or authenticating to an admin panel.
  • Impact compounds through NTLM ecosystems. The first-stage bug leaks a hash, but relay/crack paths can turn that into lateral movement and privilege gain in real enterprise networks.
  • Not CRITICAL because the chain has real brakes. Delivery still matters, outbound SMB can be blocked, NTLM relay protections can kill follow-on abuse, and the primitive is not straight-to-code-execution.

Why not higher?

This is not a wormable service exploit, not pre-auth RCE against an exposed daemon, and not guaranteed domain compromise from a single packet. The attacker usually needs a file-delivery stage, the victim to hit the folder, outbound auth to succeed, and then a workable relay or cracking path. Those are meaningful friction points even in messy enterprises.

Why not lower?

Dropping this to MEDIUM or LOW would ignore the strongest empirical signal available: it is KEV-listed and actively exploited. Also, the combination of ubiquity, easy trigger conditions, and credential-abuse follow-on makes this far more operationally useful than the vendor's confidentiality-only CVSS framing suggests.

05 · Compensating Control

What to do — in priority order.

  1. Block outbound SMB now — Deny TCP/445 and related outbound SMB/WebDAV paths from user workstations and general-purpose servers to untrusted networks immediately, within hours because active exploitation is confirmed. This directly cuts the authentication-coercion step that makes the bug valuable while patch rollout catches up.
  2. Constrain NTLM and relay paths — Tighten NTLM usage, require SMB signing where feasible, and prioritize relay-resistant service configs immediately, within hours in exposed user tiers and admin enclaves. Even if a hash leaks, you want the follow-on abuse path to fail.
  3. Hunt for Explorer-initiated auth — Use EDR, proxy, firewall, and Windows log telemetry to flag explorer.exe-adjacent outbound SMB or suspicious authentication to unusual hosts immediately, within hours while exploitation is active. This is one of the few detections with decent signal for attempted use.
  4. Filter shortcut delivery — Block or quarantine suspicious LNK files and archives containing shortcuts at email, web, and collaboration ingress points immediately, within hours. Delivery is still a real prerequisite, so killing the file path buys time.
What doesn't work
  • A WAF does nothing here because this is not an HTTP request/response bug against a web app.
  • MFA alone does not stop NTLM hash capture or relay on protocols and services that still accept the relayed auth path.
  • Relying on SmartScreen only is not enough; the whole point of the Akamai writeup is that the dangerous authentication happens earlier in the Shell chain than the trust check that fixed the original RCE path.
  • Internet exposure inventories are low value here because the issue lives on endpoints and file workflows, not on a cleanly enumerable public service.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host or through your endpoint management tool. Invoke as powershell -ExecutionPolicy Bypass -File .\Test-CVE-2026-32202.ps1; standard user rights are usually enough because it only reads OS version data, but remote collection via your EDR/RMM may need its normal agent privileges.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# Test-CVE-2026-32202.ps1

# Checks local Windows build against known fixed build thresholds for CVE-2026-32202.

# Outputs: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=ERROR


$ErrorActionPreference = 'Stop'

function Get-BuildNumber {
    param([string]$VersionString)
    if (-not $VersionString) { return $null }
    $parts = $VersionString.Split('.')
    if ($parts.Count -lt 4) { return $null }
    return [int]$parts[3]
}

try {
    $cv = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    $productName   = [string]$cv.ProductName
    $displayVersion = [string]$cv.DisplayVersion
    $releaseId     = [string]$cv.ReleaseId
    $currentBuild  = [string]$cv.CurrentBuild
    $ubr           = [int]$cv.UBR
    $buildLabEx    = [string]$cv.BuildLabEx
    $currentVersion = "10.0.$currentBuild.$ubr"

    # Mapping of known minimum fixed builds from public references.

    # Keys are major build numbers.

    $fixedByMajorBuild = @{
        '14393' = 9060   # Windows 10 1607 / Server 2016

        '17763' = 8644   # Windows 10 1809 / Server 2019

        '19044' = 7184   # Windows 10 21H2

        '19045' = 7184   # Windows 10 22H2

        '20348' = 5020   # Windows Server 2022

        '22631' = 6936   # Windows 11 23H2

        '25398' = 2274   # Windows Server 2022 23H2

        '26100' = 8246   # Windows 11 24H2 (Server 2025 uses same major build but higher fixed UBR below)

        '26200' = 8246   # Windows 11 25H2

        '28000' = 1836   # Windows 11 26H1

    }

    Write-Host "ProductName: $productName"
    if ($displayVersion) { Write-Host "DisplayVersion: $displayVersion" }
    elseif ($releaseId) { Write-Host "ReleaseId: $releaseId" }
    Write-Host "CurrentVersion: $currentVersion"
    if ($buildLabEx) { Write-Host "BuildLabEx: $buildLabEx" }

    # Special handling for Server 2025, which shares major build 26100 but has a different fixed UBR threshold in public references.

    if ($productName -match 'Server 2025') {
        if ([int]$currentBuild -ne 26100) {
            Write-Host 'UNKNOWN - Product claims Server 2025 but build is unexpected.'
            exit 2
        }
        if ($ubr -ge 32690) {
            Write-Host 'PATCHED'
            exit 0
        } else {
            Write-Host 'VULNERABLE'
            exit 1
        }
    }

    # Server 2012 / 2012 R2 are present in affected CPE data, but the retrieved public corpus here did not expose a fixed build threshold.

    if ($productName -match 'Server 2012') {
        Write-Host 'UNKNOWN - Windows Server 2012/2012 R2 appears in affected data, but no fixed build threshold was available in the retrieved source set.'
        exit 2
    }

    if (-not $fixedByMajorBuild.ContainsKey($currentBuild)) {
        Write-Host 'UNKNOWN - This Windows build is not in the current script mapping.'
        exit 2
    }

    $requiredUbr = [int]$fixedByMajorBuild[$currentBuild]

    if ($ubr -ge $requiredUbr) {
        Write-Host 'PATCHED'
        exit 0
    } else {
        Write-Host 'VULNERABLE'
        exit 1
    }
}
catch {
    Write-Host ('ERROR - ' + $_.Exception.Message)
    exit 3
}
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a HIGH with active exploitation override: use the noisgate mitigation SLA exception and patch / mitigate immediately, within hours by blocking outbound SMB from user endpoints and general-purpose servers, filtering LNK delivery, and hunting for Explorer-driven SMB auth. Then finish actual Windows patch deployment on all affected builds as the durable fix; the outer noisgate remediation SLA for HIGH is <= 180 days, but for a KEV-listed Windows endpoint issue that deadline is administrative only — your real target is to complete the broad fleet rollout in days, starting with internet-exposed users, privileged workstations, jump hosts, and any segment still leaning on NTLM.

Sources

  1. NVD CVE-2026-32202
  2. Microsoft Security Update Guide advisory
  3. Akamai root-cause analysis by Maor Dahan
  4. CISA Known Exploited Vulnerabilities Catalog
  5. FIRST EPSS overview
  6. FIRST EPSS API documentation
  7. Help Net Security coverage of active exploitation
  8. UpGuard affected/fixed build summary
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.