InfoSecBulletin Cybersecurity for mankind
A critical 0 click security flaw, known as CVE-2026-32202, comes from a patch that did not fully fix a Windows Shell security issue. Microsoft confirmed active exploitation of the flaw and released a fix as part of its April 2026 Patch Tuesday update.
CERT-UA reported that the APT28 group, also called Fancy Bear, Forest Blizzard, and Pawn Storm, started a targeted cyber attack on Ukraine and some EU countries in December 2025 using a harmful LNK (Windows Shortcut) file.
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
Akamai researchers found the campaign in January 2026. They linked the infection to two connected vulnerabilities: CVE-2026-21513 (an MSHTML exploit) and CVE-2026-21510 (a Windows Shell SmartScreen bypass rated 8.8).
Windows Shell 0-Click Vulnerability Exploited
The main way of this attack misuses the Windows Shell namespace reading system. APT28 included a harmful LinkTargetIDList structure in the LNK file, a binary IDList that Windows Explorer reads and shows, just like Control Panel items are shown.
The IDList had three main parts: a CLSID for the Control Panel COM object, another entry for “all control panel items,” and a third _IDCONTROLW structure that included a UNC path to the attacker’s remote server.
When the victim’s explorer.exe parsed this LNK file, it resolved the malicious path as:
text::{26EE0668-A00A-44D7-9371-BEB064C98683}\0\{GENERATED GUID OF THE UNC PATH}
This made Windows load a DLL from a server controlled by the attacker, acting like a Control Panel component, without activating SmartScreen or Mark of the Web checks.
Microsoft fixed CVE-2026-21510 in February 2026. They added a new COM object named ControlPanelLinkSite. This new object connects the CPL launch path with ShellExecute’s trust check system. Click here to read full report.
