Windows laptop showing a malicious shortcut file exploiting a zero-click vulnerability to bypass Defender SmartScreen, with hacker warning graphics and security alert theme.

Microsoft has patched a dangerous zero-click Windows vulnerability, tracked as CVE-2026-32202, that was actively exploited by Russian-linked APT28 hackers. The flaw allowed attackers to bypass Defender SmartScreen and trigger hidden authentication requests simply by opening a folder containing a malicious shortcut (.LNK) file.

Windows laptop showing a malicious shortcut file exploiting a zero-click vulnerability to bypass Defender SmartScreen, with hacker warning graphics and security alert theme.Windows laptop showing a malicious shortcut file exploiting a zero-click vulnerability to bypass Defender SmartScreen, with hacker warning graphics and security alert theme.

The attack used specially crafted Windows shortcut files that forced systems to connect to attacker-controlled servers automatically. This could leak NTLM authentication hashes without any click from the victim, enabling credential theft, relay attacks, or further network compromise. Researchers said the issue was linked to an incomplete earlier patch.

Microsoft fixed the flaw in its April 2026 Patch Tuesday updates and urged users to install updates immediately. Security teams should also monitor suspicious outbound SMB traffic, restrict NTLM usage, and prioritize patching systems that use shared folders or network drives.


 Don't trust a single layer. Upgrade to NPAV EPS — Because your Defender can't defend itself.