Incomplete patch for a Home windows SmartScreen and Home windows Shell safety prompts bypass created a brand new bug enabling zero-click assaults, Akamai stories.
The preliminary vulnerability, tracked as CVE-2026-21510 and patched in February, might be exploited for distant code execution (RCE) if the attacker may persuade the sufferer to open a malicious shortcut file.
Microsoft warned on the time that the flaw had been exploited as a zero-day, with out offering particulars on the noticed assaults.
Now, Akamai says Russia-linked APT28, also referred to as Fancy Bear, Forest Blizzard, GruesomeLarch, and Sofacy, exploited CVE-2026-21510 in assaults that additionally focused CVE-2026-21513, a safety function bypass within the MSHTML framework patched in February as nicely.
“An attacker may exploit this vulnerability by convincing a consumer to open a malicious HTML file or shortcut (.lnk) file delivered by a hyperlink, e-mail attachment, or obtain. The specifically crafted file manipulates browser and Home windows Shell dealing with, inflicting the content material to be executed by the working system,” Microsoft explains in its advisory.
Akamai attributed CVE-2026-21513’s exploitation to APT28 in late February, however didn’t point out CVE-2026-21510, as a result of it had beforehand found the unfinished patch.
The dearth of correct patching, it says, resulted in a brand new vulnerability, tracked as CVE-2026-32202, an authentication coercion vulnerability that may be exploited with out consumer interplay to steal credentials through auto-parsed LNK information.
“We then discovered an incomplete patch and disclosed it to Microsoft. The brand new vulnerability, CVE-2026-32202, brought on the sufferer to authenticate the attacker’s server with out consumer interplay (zero click on),” Akamai says.
Microsoft launched fixes for CVE-2026-32202 as a part of the April 2026 patches. Its advisory flags the safety defect as exploited, however doesn’t element the noticed assaults.
In accordance with Akamai, these vulnerabilities have been probably exploited by APT28 in December 2025, in assaults towards Ukraine and European Union international locations.
As a part of the marketing campaign, the APT used weaponized LNK information that chained CVE-2026-21513 and CVE-2026-21510 to bypass Home windows’ security measures and obtain distant code execution (RCE).
“APT28 leverages the Home windows shell namespace parsing mechanism to load a dynamic hyperlink library (DLL) from a distant server utilizing a UNC path. The DLL is loaded as a part of the Management Panel (CPL) objects with out correct community zone validation,” Akamai explains.
Evaluation of the patches rolled out in February revealed that, whereas the RCE path was mitigated by imposing SmartScreen verification of the file’s digital signature and origin zone, “the sufferer machine was nonetheless authenticating to the attacker’s server.”
The difficulty, Akamai says, is that the belief verification would fireplace throughout a name on the finish of the launch chain, lacking an earlier stage within the chain.
When rendering the contents of the folder containing the malicious LNK file, Home windows Explorer asks shell32 to fetch an icon from an UNC path, triggering a server message block (SMB) connection to the attackers’ server with out consumer interplay.
The “connection triggers an automated NTLM authentication handshake, sending the sufferer’s Internet-NTLMv2 hash to the attacker, which may later be used for NTLM relay assaults and offline cracking,” Akamai notes.
Associated: Russia’s APT28 Concentrating on Power Analysis, Protection Collaboration Entities
Associated: Organizations Warned of Exploited Home windows, Adobe Acrobat Vulnerabilities
Associated: Most Severe Cyberattacks In opposition to the UK Now From Russia, Iran and China, Cyber Chief Says
Associated: Sweden Blames Professional-Russian Group for Cyberattack Final Yr on Its Power Infrastructure
