Critical Windows Patch Vulnerability Exposes Systems to Zero-Click Attacks
Incomplete Windows Patch Enables Zero-Click Attacks
In February, Microsoft patched two vulnerabilities, CVE-2026-21510 and CVE-2026-21513, in Windows SmartScreen and Windows Shell security prompts. However, an incomplete patch left a door open to zero-click attacks, according to research by Akamai.
Vulnerabilities Exploited by Russia-linked APT28
Russia-linked APT28, also known as Fancy Bear, exploited CVE-2026-21510 in attacks targeting Ukraine and European Union countries in December 2025. The group used weaponized LNK files that chained CVE-2026-21513 and CVE-2026-21510 to bypass Windows’ security features and achieve remote code execution.
Analysis of the Patches Reveals Missing Security Check
Analysis of the patches revealed that while the RCE path was mitigated by enforcing SmartScreen verification of the file’s digital signature and origin zone, the victim machine was still authenticating to the attacker’s server. This was due to the trust verification firing during a call at the end of the launch chain, missing an earlier stage in the chain.
Exploitation of CVE-2026-21513
Akamai attributed the exploitation of CVE-2026-21513 to APT28 in late February, but did not mention CVE-2026-21510, as it had previously discovered the incomplete patch.
New Vulnerability Discovered
The incomplete patch led to the creation of a new vulnerability, tracked as CVE-2026-32202, an authentication coercion vulnerability that can be exploited without user interaction to steal credentials via auto-parsed LNK files. Akamai disclosed the issue to Microsoft and the company released a fix as part of the April 2026 patches.
Importance of Thorough Testing and Patching
The exploitation of these vulnerabilities highlights the importance of thorough testing and patching of software updates. It also underscores the need for continuous monitoring and analysis of potential vulnerabilities and their impact on security.
About Author
English