SECURITYWEEK reports that an incomplete patch for a Windows SmartScreen and Windows Shell security prompts bypass opened the door to zero-click attacks, with researchers tracing the issue to CVE-2026-21510, which was patched in February and could enable remote code execution if a user opened a malicious shortcut file.
According to Akamai, the missing patch also produced a new vulnerability, CVE-2026-32202, an authentication coercion flaw that can be exploited without user interaction to steal credentials via auto-parsed LNK files, and Microsoft released fixes for this as part of the April 2026 patches. The initial flaw and related CVEs were linked to Russia-linked APT28, also known as Fancy Bear, Forest Blizzard, GruesomeLarch, and Sofacy, with Akamai attributing CVE-2026-21513 exploitation to the group in late February.
The campaign reportedly used weaponised LNK files chaining CVE-2026-21513 and CVE-2026-21510 to bypass Windows security features and achieve remote code execution, even though SmartScreen verification was enforced for the file’s digital signature and origin zone. In addition, exploitation involved the victim authenticating to the attacker’s server via an SMB/UNC-triggered NTLM handshake, enabling potential NTLM relay attacks and offline cracking.