Microsoft has quietly updated its advisory for CVE-2026-32202, a Windows Shell spoofing bug, to confirm it is being actively exploited in the wild. The flaw was first patched in the April 2026 Patch Tuesday release, but the company revised its exploitability assessment on 27 April after acknowledging real-world exploitation. It is an authentication coercion bug — a malicious LNK (shortcut) file can silently trigger Windows to send the victim’s NTLM credential hash to an attacker-controlled server, with no click required.

Russian state actor APT28 has been chaining this flaw with related Windows Shell bugs to bypass SmartScreen and execute code on victim machines. The risk for Australian businesses is straightforward: leaked NTLM hashes can be cracked offline or relayed onto Microsoft 365, file shares, and VPNs. That is the kind of foothold that quietly turns into a ransomware incident a few weeks later. CVE-2026-32202 is itself an incomplete patch for an earlier issue (CVE-2026-21510), so any fleet that skipped the April 2026 cumulative update is still exposed.

Push the April 2026 cumulative update to every Windows endpoint and server this week. Block outbound SMB (TCP 445) at the firewall, disable NTLM where you can, and treat any LNK file arriving via email or external downloads as suspicious until proven otherwise. Ask your IT provider whether your patching cadence reliably covers monthly Patch Tuesday across the whole fleet — including the laptops that rarely come back to the office.

If you would like a fresh set of eyes on your patch coverage, our managed IT and support team can run an audit and tell you exactly where the gaps are.