About:
CVE-2026-32202 is a spoofing vulnerability in the Windows Shell caused by a protection mechanism failure.
An attacker can exploit this flaw by leveraging crafted files or paths that trigger unintended Windows Shell behavior. Successful exploitation may result in spoofing attacks that expose sensitive authentication data.
Public reporting indicates this vulnerability may be related to incomplete remediation of prior UNC path handling issues. This behavior can cause systems to initiate outbound SMB connections, potentially leaking Net-NTLMv2 hashes. Attackers may use this information for credential capture, relay attacks, or credential reuse within the environment.
This vulnerability is actively exploited in the wild.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Windows Shell Spoofing Vulnerability
Identifier: CVE-2026-32202
CVSS Score: 4.3 (Medium, CVSS v3.1)
PoC or Exploitation:
This vulnerability is actively exploited in the wild.
Update/ Patch:
Microsoft has released a fix for this vulnerability as part of the April 2026 security updates.
Affected versions include:
Microsoft Windows systems containing the vulnerable Windows Shell component
Fixed versions include:
Systems updated with the April 2026 cumulative security updates
Microsoft advisory and patch guidance:
Description:
CVE-2026-32202 is a spoofing vulnerability in Windows Shell caused by a protection mechanism failure.
An attacker can exploit this vulnerability over a network by leveraging crafted files or paths that trigger Windows Shell behavior. Successful exploitation may result in spoofing attacks that can expose sensitive authentication data.
Public reporting indicates this vulnerability may be related to incomplete remediation of a prior issue involving UNC path handling, where Windows could initiate outbound SMB connections and leak Net-NTLMv2 hashes. This behavior may allow attackers to capture authentication material and potentially use it for further attacks such as relay or credential reuse.
Mitigation Recommendation:
Immediately apply the April 2026 Windows security updates.
Restrict outbound SMB traffic to untrusted networks where possible.
Monitor for abnormal outbound SMB connections and potential credential leakage.
Educate users to avoid interacting with untrusted files or network paths.
Use network and endpoint monitoring tools to detect suspicious authentication attempts or relay activity.