Microsoft patches actively exploited Windows flaw left open by a previous patch

Patching Patch Tuesday again

Microsoft has fixed an actively exploited flaw in Windows that arose from an incomplete patch released in the company’s February 2026 Patch Tuesday update.

CVE-2026-32202 is a zero-click authentication coercion flaw in the Windows Shell. It arose after a patch for a previous vulnerability - CVE-2026-21510 - which allows attackers to bypass security controls such as SmartScreen and Mark‑of‑the‑Web checks - caused a new vulnerability. The patch failed to address a flaw in how Windows Explorer handles malicious files, allowing credential theft via auto-parsed LNK files.

CVE-2026-21510 was exploited by Russian state-sponsored group APT28 aka Fancy Bear against targets in Ukraine and Europe.

The new vulnerability, CVE-2026-32202, is a Windows Shell authentication coercion vulnerability that allows an attacker to trick Windows into authenticating automatically to a malicious server. It’s a “zero-click” flaw meaning no user interaction is required; simply navigating to a folder containing a malicious file will trigger the exploit.

Using the flaw an attacker could steal a users authentication credentials and use them to move laterally through the network and access sensitive data.

The vulnerability was discovered by Maor Dahan, a security researcher at Akamai, who reported it to Microsoft. Microsoft initially assessed it as a low-risk bug but later revised its opinion after the flaw was exploited. CISA has added it to its Known Exploited Vulnerabilities (KEV) catalogue. The identity of the attackers has not been made public.

The vulnerability affects all Windows systems, with users urged to patch their system immediately. In addition, administrators are advised to configure firewall rules to limit unnecessary inbound traffic to systems that host the vulnerable Windows Shell component and monitor networks for signs of spoofing attempts targeting Windows Shell.

It is not unusual for Microsoft’s monthly bulk Patch Tuesday updates to cause new problems. In January, Microsoft issued a second emergency Windows 11 patch after a first fix update caused cascading failures. April’s update caused some Windows servers to enter repeated restart loops.