An incomplete Windows patch has exposed users to a zero-click attack.

Akamai discovered that Microsoft’s patch for CVE‑2026‑21510 was incomplete, inadvertently creating a new vulnerability, CVE‑2026‑32202, that allows zero‑click NTLM credential theft. Russia‑linked APT28 exploited the original flaws in attacks against Ukraine and EU countries, using malicious LNK and HTML files to bypass SmartScreen and Windows Shell protections. The incomplete fix allowed Windows Explorer to automatically authenticate to an attacker‑controlled server simply by rendering a folder containing a malicious LNK file. Microsoft has since issued additional patches, though details of observed exploitation remain limited.

Read more:

https://www.securityweek.com/incomplete-windows-patch-opens-door-to-zero-click-attacks/