CVE-2026-32202

MEDIUM KEV

Windows Shell Spoofing Vulnerability

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-32202 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 28, 2026. EIP tracks 3 public exploits from researchers including nu11secur1ty, virus-or-not, solarlynxsqueeze.

AI-analyzed exploit summary The provided code is a functional Python script that generates a malicious .lnk file exploiting CVE-2026-32202. This vulnerability allows an attacker to capture NTLMv2 hashes by crafting a shortcut file with a UNC path pointing to an attacker-controlled SMB server, triggering authentication when the folder is viewed.

Description

Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.

Exploits (3)

exploitdb WORKING POC
by nu11secur1ty · textremotewindows
https://www.exploit-db.com/exploits/52601

The provided code is a functional Python script that generates a malicious .lnk file exploiting CVE-2026-32202. This vulnerability allows an attacker to capture NTLMv2 hashes by crafting a shortcut file with a UNC path pointing to an attacker-controlled SMB server, triggering authentication when the folder is viewed.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Windows Shell (File Explorer) on Windows 10/11 and Windows Server 2019/2022/2025
No auth needed
Prerequisites: Attacker-controlled SMB server · Ability to deliver the .lnk file to the target system
devstral-2 · analyzed May 30, 2026 Full analysis →
github WORKING POC
by virus-or-not · pythonpoc
https://github.com/virus-or-not/CVE-2026-32202

This repository contains a functional Python script that generates a malicious LNK file exploiting CVE-2026-32202. The exploit leverages a crafted _IDCONTROLW structure to trigger an outbound SMB connection when the LNK file is processed by Windows Explorer.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (specific version not specified)
No auth needed
Prerequisites: UNC path to a malicious CPL file · victim interaction to open the LNK file
devstral-2 · analyzed Apr 30, 2026 Full analysis →
github SUSPICIOUS
by solarlynxsqueeze · poc
https://github.com/solarlynxsqueeze/CVE-2026-32202

The repository claims to exploit CVE-2026-32202 via crafted LNK files for NTLMv2 hash coercion but lacks actual exploit code, instead redirecting to an external download link (tinyurl.com). The README is detailed but serves as a lure rather than providing functional PoC code.

Classification
Suspicious 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Theoretical
Target: Windows Shell (Windows 10/11, Server 2019-2025)
No auth needed
Prerequisites: Attacker-controlled SMB server · Victim interaction (Explorer preview/hover)
devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 4.3
EPSS 0.1998
EPSS Percentile 97.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2026-04-28
VulnCheck KEV 2026-04-14
ENISA EUVD EUVD-2026-22589
CWE
CWE-693
Status published
Products (37)
Microsoft/Windows 10 Version 1607 10.0.14393.0 - 10.0.14393.9060
Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.8644
Microsoft/Windows 10 Version 21H2 10.0.19044.0 - 10.0.19044.7184
Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.7184
Microsoft/Windows 11 version 22H3 10.0.22631.0 - 10.0.22631.6936
Microsoft/Windows 11 Version 23H2 10.0.22631.0 - 10.0.22631.6936
Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.32690
Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.8246
Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.8246
Microsoft/Windows 11 version 26H1 10.0.28000.0 - 10.0.28000.1836
... and 27 more
Published Apr 14, 2026
KEV Added Apr 28, 2026
Tracked Since Apr 14, 2026