What Happened
CISA added CVE-2026-32202 to its Known Exploited Vulnerabilities catalog on April 28, 2026, ordering US Federal Civilian Executive Branch agencies to patch by May 12. The flaw is a zero-click NTLM hash leak in Windows Shell — meaning a victim’s machine authenticates an attacker-controlled server without any user interaction required. Microsoft patched the vulnerability in April’s Patch Tuesday but initially marked it without an exploitation flag. On April 27, Microsoft updated the advisory to confirm active exploitation in the wild.
Akamai researchers identified CVE-2026-32202 as the result of an incomplete fix for CVE-2026-21510, a Windows LNK file flaw exploited by Russia’s APT28 (also known as Fancy Bear and Forest Blizzard) against Ukraine and EU member states in December 2025. When Microsoft patched CVE-2026-21510 in February 2026, it did not fully close the attack surface. CVE-2026-32202 exploits the same underlying weakness through a different code path: it forces Windows to authenticate outbound to an attacker’s SMB server, leaking the victim’s Net-NTLMv2 hash. The attacker relays or cracks the hash to authenticate as the user, access network resources, and pivot further into the environment. No clicks, no attachments opened — just a malicious LNK file visible in a network share or folder, per BleepingComputer.
Why This Matters for Canadian Organizations
APT28 is a Russian military intelligence (GRU) threat actor with a documented history of targeting NATO members, including Canada. As a Five Eyes partner and NATO member, Canada sits squarely within APT28’s established targeting criteria. The CCCS has previously issued joint advisories with CISA, NCSC-UK, and allied agencies warning of APT28 campaigns, and this vulnerability class — Windows LNK file abuse for NTLM credential theft — aligns with TTPs APT28 has used against Canadian government and critical infrastructure targets in prior campaigns.
Beyond nation-state actors, NTLM relay attacks are a standard technique in ransomware and criminal threat actor playbooks. CVE-2026-32202 lowers the bar for any attacker operating in a Windows environment: no user needs to click anything, and the attack works silently against any organization with SMB accessible within the network. Canadian enterprises and government departments running Windows in domain environments — the vast majority — are vulnerable until patched. The May 12 deadline applies to US federal agencies, but Canadian federal departments and critical infrastructure operators should treat the same timeline as a practical benchmark given the shared threat environment and CCCS alignment with CISA guidance.
Canadian organizations also need to review their NTLM configuration. Even after patching CVE-2026-32202, enterprises running Windows in environments where NTLM authentication is unrestricted remain susceptible to a broader class of relay attacks. Enforcing SMB signing, disabling NTLM where Kerberos is feasible, and blocking outbound SMB at the perimeter are complementary controls worth prioritizing alongside the patch.
What to Do
Apply Microsoft’s April 2026 Patch Tuesday updates if you have not already done so — CVE-2026-32202 is included. If your environment uses WSUS, SCCM, or Intune for patch management, confirm the April cumulative update has been deployed to all Windows endpoints and servers. Prioritize domain controllers and systems with internet or untrusted network exposure. Check Microsoft’s updated advisory for build numbers that confirm the fix is installed.
As a defense-in-depth measure, enable SMB signing across your environment via Group Policy to prevent relay attacks even if NTLM hashes are captured. Review your firewall rules to confirm outbound SMB (TCP 445) is blocked to internet-facing IPs from workstations and servers. If you run Microsoft Defender for Endpoint or a comparable EDR, check for alerts related to LNK file execution and unexpected outbound authentication events. For Canadian federal departments, refer to CCCS patching guidance and consider requesting a threat briefing if you operate high-value national security or critical infrastructure systems.
