MCNC ASM – (Critical) Active Exploitation of Windows Shell Zero-Day (CVE-2026-32202)
Date of Notice: 04/30/2026
Action Level - Critical
Description
Microsoft and CISA have confirmed the active exploitation of CVE-2026-32202, a zero-click authentication bypass vulnerability within Windows Shell. This flaw allows unauthorized attackers to perform spoofing attacks and coerce NTLM authentication, leading to hash leakage. We strongly urge all administrators to immediately apply the relevant Microsoft security updates.
Affected Devices
All supported versions of Windows 10, Windows 11, and Windows Server.
* For Crowdstrike customers you can click this link to see the status of Windows devices within your environment.*
Attack Vector
The vulnerability is exploited over the network without requiring user execution. An attacker crafts a malicious Windows Shortcut (LNK) file; when the victim opens the directory containing this file, Windows Explorer automatically attempts to resolve the path. This triggers an outbound SMB connection to an attacker-controlled server, initiating an NTLM authentication handshake that leaks the victim's Net-NTLMv2 hash for potential relay attacks or offline cracking.
Attack Feasibility
This vulnerability is actively being exploited in the wild. The attack complexity is low and requires no elevated privileges or authentication. Because it is a zero-click exploit, the victim does not even need to open the malicious file for the attack to succeed.
Mitigations
If immediate patching is not possible, block outbound SMB traffic at your network perimeter to prevent NTLM coercion attacks from reaching external malicious servers. Additionally, implement robust network segmentation to limit the exposure of vulnerable systems.
Remediations
Apply the Microsoft security updates issued during the April 14, 2026 Patch Tuesday that specifically address CVE-2026-32202.
Reference Links