A critical Windows protection mechanism failure that allows for the zero-click theft of hashed credentials has been added to the federal list of known exploited threats. This flaw is being used as a high-fidelity vector for lateral movement and pass-the-hash attacks within enterprise networks.
Tracked as CVE-2026-32202, the vulnerability resides in the Windows Shell and was inadvertently left behind after an incomplete patch for a previous RCE flaw. An attacker can trigger a leak of NTLM hashes simply by having the victim system process a malicious file, without requiring the user to execute it. @[CISA](urn:li:organization:13010360) added this to the KEV catalog on April 28 following reports of active exploitation by advanced threat groups.
Zero-click vulnerabilities are exceptionally dangerous because they remove the human element from the initial access chain. Once an NTLM hash is leaked, attackers can authenticate as the compromised user across the network, facilitating rapid lateral movement and data exfiltration.
– Apply the latest @[Microsoft](urn:li:organization:1035) security updates for Windows 10, 11, and Server 2022/2025 immediately.
– Enforce SMB signing and disable NTLM where possible, transitioning to Kerberos for internal authentication.
– Implement Credential Guard to protect NTLM hashes and other secrets in memory from being exfiltrated.
– Monitor for anomalous NTLM authentication attempts originating from endpoints that have recently processed untrusted external files.
The failure of core protection mechanisms requires an immediate transition to modern, phishing-resistant authentication protocols. #CodeDefence #Microsoft #Windows #NTLM #CISA
/
