Active Exploitation of Zero-Click Windows Shell Spoofing Vulnerability CVE-2026-32202

CISA and Microsoft have warned of active exploitation of CVE-2026-32202, a zero-click Windows Shell spoofing vulnerability that forces victim systems to authenticate to an attacker-controlled server. The flaw stems from an incomplete patch for CVE-2026-21510, which, alongside CVE-2026-21513, was previously exploited by APT28 (Fancy Bear) via weaponized LNK files to bypass Windows security features. Microsoft addressed the earlier vulnerabilities in February 2026, but the new flaw remains unpatched and actively targeted. The vulnerability affects Windows and Windows Server systems, enabling authentication redirection without user interaction. No specific mitigation or patch date was provided in the warning.