Incomplete patch for a Windows SmartScreen and Windows Shell security prompts bypass created a new bug enabling zero-click attacks, Akamai reports.
The initial vulnerability, tracked as CVE-2026-21510 and patched in February, could be exploited for remote code execution (RCE) if the attacker could convince the victim to open a malicious shortcut file.
Microsoft warned at the time that the flaw had been exploited as a zero-day, without providing details on the observed attacks.
Now, Akamai says Russia-linked APT28, also known as Fancy Bear, Forest Blizzard, GruesomeLarch, and Sofacy, exploited CVE-2026-21510 in attacks that also targeted CVE-2026-21513, a security feature bypass in the MSHTML framework patched in February as well.
“An attacker could exploit this vulnerability by convincing a user to open a malicious HTML file or shortcut (.lnk) file delivered through a link, email attachment, or download. The specially crafted file manipulates browser and Windows Shell handling, causing the content to be executed by the operating system,” Microsoft explains in its advisory.
Akamai attributed CVE-2026-21513’s exploitation to APT28 in late February, but did not mention CVE-2026-21510, because it had previously discovered the incomplete patch.
The lack of proper patching, it says, resulted in a new vulnerability, tracked as CVE-2026-32202, an authentication coercion vulnerability that can be exploited without user interaction to steal credentials via auto-parsed LNK files.
“We then found an incomplete patch and disclosed it to Microsoft. The new vulnerability, CVE-2026-32202, caused the victim to authenticate the attacker’s server without user interaction (zero click),” Akamai says.
Microsoft released fixes for CVE-2026-32202 as part of the April 2026 patches. Its advisory flags the security defect as exploited, but does not detail the observed attacks.
According to Akamai, these vulnerabilities were likely exploited by APT28 in December 2025, in attacks against Ukraine and European Union countries.
As part of the campaign, the APT used weaponized LNK files that chained CVE-2026-21513 and CVE-2026-21510 to bypass Windows’ security features and achieve remote code execution (RCE).
“APT28 leverages the Windows shell namespace parsing mechanism to load a dynamic link library (DLL) from a remote server using a UNC path. The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation,” Akamai explains.
Analysis of the patches rolled out in February revealed that, while the RCE path was mitigated by enforcing SmartScreen verification of the file’s digital signature and origin zone, “the victim machine was still authenticating to the attacker’s server.”
The issue, Akamai says, is that the trust verification would fire during a call at the end of the launch chain, missing an earlier stage in the chain.
When rendering the contents of the folder containing the malicious LNK file, Windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server without user interaction.
The “connection triggers an automatic NTLM authentication handshake, sending the victim’s Net-NTLMv2 hash to the attacker, which can later be used for NTLM relay attacks and offline cracking,” Akamai notes.
Related: Russia’s APT28 Targeting Energy Research, Defense Collaboration Entities
Related: Organizations Warned of Exploited Windows, Adobe Acrobat Vulnerabilities
Related: Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief Says
Related: Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
