New Windows flaw stems from incomplete fix for APT28-exploited bugs

SecurityWeek reports that Microsoft's deficient February patch for the high-severity Windows SmartScreen and Shell prompt bypass bug CVE-2026-21510, which has been exploited by the Russia-linked advanced persistent threat group APT28, has resulted in the new authentication coercion zero-click bug, tracked as CVE-2026-32202.

Harnessing CVE-2026-32202, which has been addressed by Microsoft as part of this month's Patch Tuesday fixes, could result in credential theft without requiring any user interaction, an analysis from Akamai revealed. Such an issue stems from the patch's failure to halt the authentication of victim machines to the attacker's server, even if it mitigated the remote code execution path.

Meanwhile, APT28, also known as Fancy Bear, Sofacy, Forest Blizzard, and GruesomeLarch, was noted to have leveraged trojanized LNK files exploiting CVE-2026-21510 alongside the MSHTML security feature bypass defect, tracked as CVE-2026-21513, in a December attack campaign aimed at Ukraine and European Union member states. Abuse of the Windows shell namespace parsing mechanism allowed APT28 to load a DLL without proper network zone validation, said Akamai researchers.