Windows Zero‑Day Vulnerability Enables NTLM Credential Theft

Microsoft and the CISA have issued an urgent alert to federal agencies over a newly discovered Windows zero-day vulnerability. The flaw could enable attackers to silently extract sensitive data from affected systems.

According to a new report from cybersecurity firm Akamai, CVE‑2026‑32202 is a Windows vulnerability that emerged due to an incomplete fix for an earlier security flaw, which demonstrates how partial patches can leave systems exposed. Instead of enabling direct code execution, as in the original issue, this flaw allows attackers to silently force a victim’s system to authenticate to a malicious server, which leads to the leakage of sensitive credentials, such as NTLM hashes.

How does the zero-click exploit silently force authentication?

This security vulnerability is particularly dangerous because it can be triggered with little or no user interaction. For instance, simply viewing a specially crafted shortcut file can initiate the attack that makes it a “zero‑click” threat. This vulnerability has been associated with advanced threat actors like APT28, who have exploited similar weaknesses in targeted campaigns.

This vulnerability is associated with the APT28 group (also known as Fancy Bear), which conducted cyber operations in late 2025 against organizations in Ukraine and across Europe. In these campaigns, the attackers combined several weaknesses, including CVE‑2026‑21513, which bypasses security protections, and CVE‑2026‑21510, which enables remote code execution and circumvents SmartScreen defenses. These exploits were packaged into malicious shortcut (.lnk) files and distributed to targets, which allowed the attackers to compromise systems when the files were accessed.

Microsoft attempted to fix CVE‑2026‑21510 in February during its Patch Tuesday updates, where it was identified as one of several zero‑day vulnerabilities already being exploited in real-world attacks. However, evidence showed that the APT28 group had been actively using this flaw as early as January, before the patch was released.

Security recommendations to mitigate active threats

Organizations are strongly advised to apply the latest Microsoft security updates immediately and treat this vulnerability as a high priority, since it is already being exploited in real attacks. Moreover, security teams should follow vendor guidance, ensure cloud environments are updated in line with CISA directives, and stop using any vulnerable systems if fixes cannot be applied.

Additionally, organizations should strengthen their overall security posture by monitoring for suspicious authentication activity, limiting credential exposure, and reducing reliance on legacy authentication methods like NTLM. This flaw enables attackers to steal credentials and move laterally across networks. Administrators should implement measures such as network segmentation, least‑privilege access, and continuous monitoring to detect and contain potential breaches early.