Incomplete Windows Patch Opens Door to Zero-Click Attacks

Incomplete patch for a Windows SmartScreen and Windows Shell security prompts bypass created a new bug enabling zero-click attacks, Akamai reports. The initial vulnerability, tracked as CVE-2026-21510 and patched in February, could be exploited for remote code execution (RCE) if the attacker could convince the victim to open a malicious shortcut file. Microsoft warned at the time that the flaw had been exploited as a zero-day, without providing details on the observed attacks. Now, Akamai says Russia-linked APT28, also known as Fancy Bear, Forest Blizzard, GruesomeLarch, and Sofacy, exploited CVE-2026-21510 in attacks that also targeted CVE-2026-21513, a security feature bypass in the MSHTML framework patched in February as well. “An attacker could exploit this vulnerability by convincing a user to open a malicious HTML file or shortcut (.lnk) file delivered through a link, email attachment, or download. The specially crafted file manipulates browser and Windows Shell handling, causing the content to be executed by the operating system,” Microsoft explains in its advisory. Akamai attributed CVE-2026-21513’s exploitation to APT28 in late February, but did not mention CVE-2026-21510, because it had previously discovered the incomplete patch. The lack of proper patching, it says, resulted in a new vulnerability, tracked as CVE-2026-32202, an authentication coercion vulnerability that can be exploited without user interaction to steal credentials via auto-parsed LNK files. “We then found an incomplete patch and disclosed it to Microsoft. The new vulnerability, CVE-2026-32202, caused the victim to authenticate the attacker’s server without user interaction (zero click),” Akamai says. Microsoft released fixes for CVE-2026-32202 as part of the April 2026 patches. Its advisory flags the security defect as exploited, but does not detail the observed attacks. According to Akamai, these vulnerabilities were likely exploited by APT28 in December 2025, in attacks against Ukraine and European Union countries. As part of the campaign, the APT used weaponized LNK files that chained CVE-2026-21513 and CVE-2026-21510 to bypass Windows’ security features and achieve remote code execution (RCE). “APT28 leverages the Windows shell namespace parsing mechanism to load a dynamic link library (DLL) from a remote server using a UNC path. The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation,” Akamai explains. Analysis of the patches rolled out in February revealed that, while the RCE path was mitigated by enforcing SmartScreen verification of the file’s digital signature and origin zone, “the victim machine was still authenticating to the attacker’s server.” The issue, Akamai says, is that the trust verification would fire during a call at the end of the launch chain, missing an earlier stage in the chain. When rendering the contents of the folder containing the malicious LNK file, Windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server without user interaction. The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes. Related: Russia’s APT28 Targeting Energy Research, Defense Collaboration Entities Related: Organizations Warned of Exploited Windows, Adobe Acrobat Vulnerabilities Related: Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief Says Related: Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions US Federal Agency’s Cisco Firewall Infected With ‘Firestarter’ Backdoor Bitwarden NPM Package Hit in Supply Chain Attack Cloudsmith Raises $72 Million in Series C Funding Rilian Raises $17.5 Million for AI-Native Security Orchestration Luxury Cosmetics Giant Rituals Discloses Data Breach Apple Patches iOS Flaw Allowing Recovery of Deleted Chats Recent Microsoft Defender Vulnerability Exploited as Zero-Day Latest News OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years Malicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: Google Energy and Water Management Firm Itron Hacked UNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ Malware Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access US Launches Sweeping Crackdown on Southeast Asia Cyberscams and Sanctions Cambodian Senator Firefox Vulnerability Allows Tor User Fingerprinting China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Neill Feather has been named Chief Executive Officer at Point Wild. Oasis Security has appointed Michael DeCesare as President. Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery. More People On The Move Expert Insights Why Cybersecurity Must Rethink Defense In The Age Of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Flipboard Reddit Whatsapp Email