Executive Summary
CVE-2026-32202 is a Windows Shell protection-mechanism failure that turns normal folder rendering into a credential-exposure path. Akamai found it while analyzing Microsoft's patch for an APT28-linked LNK exploit chain: the February fix blocked the earlier remote code execution and SmartScreen bypass path, but Windows Explorer could still resolve a UNC path while extracting shortcut resources, causing a victim host to authenticate to an attacker-controlled SMB server without a click Akamai opens in a new tab.
CISA added CVE-2026-32202 to the Known Exploited Vulnerabilities catalog on 2026-04-28, with a federal remediation due date of 2026-05-12 CISA opens in a new tab. The NVD entry also marks the CVE as present in CISA KEV and links to Microsoft and Akamai advisories NVD opens in a new tab.
The immediate risk is Net-NTLMv2 capture and relay. A mailbox, archive share, developer download folder, ticket attachment, or synced cloud directory that contains a crafted .lnk can trigger outbound authentication as soon as Explorer previews or renders the folder. Treat exposure as credential theft until SMB egress, NTLM relay paths, and affected accounts are ruled out.