A newly identified issue in Microsoft Windows has revealed that an incomplete security patch has unintentionally introduced a new vulnerability, enabling attackers to carry out zero-click attacks without any user interaction.
The original flaw, tracked as CVE-2026-21510, was patched earlier in February and allowed remote code execution if a user opened a malicious shortcut or HTML file. However, researchers later discovered that the fix was incomplete, leading to the emergence of a new vulnerability, CVE-2026-32202.
According to Akamai, this newly created flaw allows attackers to trigger automatic authentication requests from a victim’s system simply by processing specially crafted shortcut (.lnk) files. This means the attack can occur without any user action—making it a zero-click exploit capable of stealing credentials silently.
The vulnerabilities are linked to a broader attack chain involving another flaw, CVE-2026-21513, in Microsoft’s MSHTML framework. Threat actors have been observed combining these issues to bypass Windows security mechanisms and execute malicious code.
The campaign has been attributed to APT28, a Russia-linked cyber espionage group, which reportedly exploited these vulnerabilities in attacks targeting Ukraine and European Union entities as early as late 2025.
Microsoft has since released a fix for the newly identified vulnerability as part of its April 2026 security updates. However, the incident highlights a critical risk in cybersecurity—where incomplete patches can inadvertently create new attack surfaces, sometimes even more dangerous than the original flaw.
