"An attacker could exploit this vulnerability by convincing a user to open a malicious HTML file or shortcut (.lnk) file delivered through a link, email attachment, or download. The specially crafted file manipulates browser and Windows Shell handling, causing the content to be executed by the operating system."
"The lack of proper patching, it says, resulted in a new vulnerability, tracked as CVE-2026-32202, an authentication coercion vulnerability that can be exploited without user interaction to steal credentials via auto-parsed LNK files."
"We then found an incomplete patch and disclosed it to Microsoft. The new vulnerability, CVE-2026-32202, caused the victim to authenticate the attacker's server without user interaction (zero click)."
Akamai reported that an incomplete patch for Windows vulnerabilities CVE-2026-21510 and CVE-2026-21513 has led to new zero-click attack vectors. The initial vulnerability allowed remote code execution if a user opened a malicious file. APT28 exploited these vulnerabilities, with CVE-2026-32202 emerging as a new authentication coercion vulnerability that can steal credentials without user interaction. Microsoft released fixes for CVE-2026-32202 in April 2026, but did not provide details on the attacks observed.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]