The CVSS 4.3 that APT28 was already using

Microsoft shipped the fix for CVE-2026-32202 on April 14 without flagging it as exploited. APT28 had been using the underlying attack chain since December. The advisory carried a CVSS of 4.3 and no “Exploitation Detected” marker, which means in any standard triage queue this CVE landed somewhere between the printer driver bugs and the third-party browser plugins nobody patches on time. The federal deadline lands tomorrow.

The thirteen days between the patch shipping and CISA’s KEV listing are the operational story. Not the bug. The bug is interesting; the gap is the part you can do something about.

What the bug actually does

CVE-2026-32202 is a Windows Shell spoofing flaw. A crafted .lnk shortcut embeds a UNC path in the icon-location field, something like \\attacker.example\share\icon.ico. When Windows Explorer renders the folder containing that file, shell32.dll tries to fetch the icon. The fetch opens an outbound SMB connection on TCP 445. SMB triggers an NTLM challenge-response. The user’s Net-NTLMv2 hash leaves the machine without a single click. Navigating to the folder is the entire user gesture required.

Captured hashes go one of two places: offline cracking against weak passwords, or live NTLM relay against any internal service that does not enforce SMB signing. One poisoned shortcut on a shared drive is enough to compromise everyone who opens that folder.

This bug exists because the February patch for CVE-2026-21510, a SmartScreen bypass APT28 was chaining for RCE, fixed the launch-time check but not the icon-resolution check. Akamai’s Maor Dahan, the researcher who found it, called it “the gap between path resolution and trust verification.” That is a polite way of saying the fix protected the door but not the window next to the door, and the same crew that climbed through the door in February climbed through the window in April.

The triage problem this CVE exposes

Run the numbers the way a normal patch program runs them. CVSS 4.3 is medium. No integrity impact. No availability impact. No exploitation flag in the vendor advisory. EPSS would not have caught it inside the disclosure window; KEV did not catch it for thirteen days. A team triaging the April Patch Tuesday release saw the usual cluster of CVSS 9s at the top of the list and a 4.3 spoofing bug somewhere in the back. The 4.3 went on the ninety-day track. That was the correct decision given the inputs. The inputs were wrong.

This is the part that is hard to argue with: Microsoft’s tagging was the synchronization point for everyone downstream, and the tag was missing while APT28 was actively using the bug to steal hashes from government targets in Ukraine and the EU. Microsoft has not publicly explained why. The Register asked. No response. CISA flipped on April 28, the day after Microsoft updated the advisory. The federal civilian deadline is May 12.

Why this keeps happening

Pull the camera back. NTLM coercion is not a single bug; it is a class of bugs that emerges from a structural property of Windows authentication. NTLM gets initiated automatically by any subsystem that opens a remote resource, which is most of them. The named history is long: PrinterBug, PetitPotam, DFSCoerce, ShadowCoerce. Unit 42 documented over 240 RPC functions that potentially carry the same coercion primitive. Each individual patch is local. The adjacent functions stay open.

There is direct precedent for the incomplete-patch pattern. Check Point traced CVE-2025-24054 in March 2025 back to CVE-2024-43451 from November 2024: same NTLM hash disclosure, different file format (.library-ms versus .url). CVE-2026-32202 is the third iteration, this time on .lnk icon rendering. The kill primitive is preserved across patches because the kill primitive is the protocol, and the protocol is what Microsoft is finally taking off by default in a future Windows Server release.

The three-phase NTLM deprecation plan, announced in February, has the structure of a project that is taking the problem seriously. Phase 1 is enhanced auditing on Server 2025 and Windows 11 24H2. Phase 2 in H2 2026 adds IAKerb and Local KDC so Kerberos succeeds where NTLM used to fall back. Phase 3, in the next major Server release, finally disables NTLM by default. Not removes. Disables. Until then, every coercion CVE is a reminder of the gap, and shops that triage on CVSS alone will keep finding out about them on day fourteen.

What to actually do, in order

Patch first, today. The April 14 cumulative update covers Windows 10 (1607–22H2), Windows 11 (23H2–26H1), and Server 2012 R2 and later. KB numbers are version-specific and Microsoft has not published a unified KB ID, so pull from the Security Update Guide per OS.

Block outbound SMB at the perimeter. TCP 445 and 139 from workstation subnets to the internet. The exploit’s kill chain requires the victim machine to initiate that connection; block the connection and the bug becomes hash theft to nowhere. Test with Test-NetConnection -ComputerName <external-IP> -Port 445 from a workstation. Where the block is not feasible end-to-end, run an allowlist.

Enforce SMB signing. Group Policy: Microsoft network client: Digitally sign communications (always) = Enabled. Server 2025 ships this default. Earlier versions do not. SMB signing is what prevents relay even when a hash is captured.

Enable EPA on internal services. Extended Protection for Authentication ties NTLM to the TLS channel. Server 2025 enables it by default for Exchange, AD CS, and LDAP; earlier versions need manual configuration. EPA protects HTTPS endpoints, not HTTP and WebDAV. Disable the WebClient service where it is not in active use.

Sweep shared drives for poisoned LNKs. One shortcut with an external UNC path in its icon-location field is enough to harvest hashes from every user who opens the parent folder. There is no published list of IOCs for this campaign, which means retrospective hunting works off the primitive, not the indicator.

Carry-forward uncertainty

Two things the dossier flagged that should stay flagged. There is no public proof-of-concept for CVE-2026-32202 specifically, and there are no published IOCs (file hashes, C2 domains, or IP addresses) for the APT28 campaign. The technical primitive is well-understood from prior research; the operational fingerprint of this specific campaign is not. Detection has to be built off the behavior, not the artifact.

The compounding factor is worth naming. On April 15, one day after this patch shipped, NIST cut NVD enrichment to roughly 15-20 percent of incoming CVEs. The remaining 80 percent ship without CVSS scores or CPE identifiers, which is to say invisible to most scanners. If the system that produced the missing flag on April 14 is upstream of triage decisions for thousands of organizations, the system that stopped enriching most CVEs on April 15 is upstream of the same decisions for the rest of the year.

The reframe

Single-signal triage models are operating with a known lag against the threat. The minimum viable triage stack is now three layers: CVSS for the technical baseline, EPSS for exploitation probability, KEV for confirmed ground truth. Any program still scoring purely on vendor severity tags is, in practice, accepting a thirteen-day window where state actors are ahead of the patch posture.

PatchDay Alert is built around this reality. The daily digest filters on CVSS and KEV together, and when a CVE flips on KEV mid-cycle, it gets re-surfaced rather than sitting in yesterday’s queue. That does not make the underlying problem go away. It does mean the next CVE-2026-32202 is not going to be a 4.3 you find out about on day fourteen.

The bug is not the story. The story is that a queue full of CVSS 9s is exactly where a CVSS 4.3 lives until somebody at CISA flips a switch.