Zero‑Click NTLMv2 Hash Capture Vulnerability in Windows Shell (CVE‑2026‑32202)
What Happened – A spoofing flaw in Windows Shell (File Explorer) lets an attacker deliver a malicious .lnk shortcut that automatically triggers an SMB request to the attacker’s server, leaking the victim’s Net‑NTLMv2 hash without any user interaction. The vulnerability is tracked as CVE‑2026‑32202 and was patched in Microsoft’s April 2026 Patch Tuesday (KB2026‑04214).
Why It Matters for TPRM –
- Credential hashes can be harvested en‑masse, enabling “pass‑the‑hash” attacks against downstream services.
- The exploit works on any Windows 10/11 or Server version that users may still be running, expanding the attack surface across most enterprise environments.
- Third‑party vendors that host Windows‑based workloads (e.g., MSPs, SaaS providers) could be compromised indirectly through this zero‑click vector.
Who Is Affected – All organizations that run Windows 10 (21H2‑22H2), Windows 11 (23H2‑26H1), or Windows Server 2019/2022/2025, regardless of industry.
Recommended Actions –
- Verify that the April 2026 security update (KB2026‑04214) is deployed on all Windows endpoints and servers.
- Conduct an inventory of any legacy systems that cannot be patched and consider isolation or upgrade.
- Deploy network‑level SMB inspection or block outbound SMB traffic to untrusted networks.
- Review credential‑handling policies; enforce multi‑factor authentication for privileged accounts to mitigate hash‑replay risk.
Technical Notes – The exploit crafts a shortcut (.lnk) containing a UNC path (\\ATTACKER_IP\share\payload.dll). When the containing folder is opened, Windows automatically initiates an SMB2 authentication request, leaking the Net‑NTLMv2 hash. CVSS 4.3 (Medium); attack vector = Network (SMB); privileges required = None; user interaction = None (zero‑click). Source: Exploit‑DB 52601