Skip to main content
LiMP VPN
All news

Zero-Click Windows Flaw Leaks Your Password Hash

Zero-Click Windows Flaw Leaks Your Password Hash

In short: In July 2026, CISA and Microsoft warned of active exploitation of a Windows Explorer flaw, CVE-2026-32202. It lets an attacker steal a user's password hash (Net-NTLMv2) with zero clicks — simply opening a folder that contains a malicious shortcut is enough. The stolen hash is then used for NTLM relay attacks and offline password cracking. Install the latest updates and keep SMB traffic off untrusted networks.

What happened

CVE-2026-32202 is a spoofing vulnerability in the Windows Shell. Its formal score is low (CVSS 4.3 out of 10), but it is dangerous precisely because it is already being used in real attacks. As of July 2026, exploitation has been confirmed by both Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The root cause is an incomplete fix for an earlier flaw, CVE-2026-21510, which Microsoft closed back in February 2026. That patch stopped code execution and a SmartScreen bypass, but it did not stop the victim's machine from reaching out to the attacker's server on its own. A full fix shipped on 14 April 2026, yet it was not flagged as "exploited," so many administrators did not treat it as urgent. If you manage accounts, start with the basics — see our guide on how to protect an account from hacking.

How the zero-click attack works

The trick needs no double-click and no launched file. An attacker plants a booby-trapped shortcut (a .LNK file) — for example, in a folder delivered by email or download. The shortcut points at a network path such as \\attacker.com\share\icon. The moment Windows Explorer renders that folder to draw the shortcut's icon, it automatically resolves the path and opens an SMB connection to the attacker's server.

That connection triggers an automatic NTLM authentication handshake, and your device hands over its Net-NTLMv2 hash — a cryptographic proof of your Windows credential. The attacker can then replay it against other systems (an "NTLM relay" attack) or crack it offline to recover the plaintext password. Security researchers report that the underlying capability has been abused since December 2025, and it is a close cousin of the credential theft behind large password leaks we have covered before.

What it means for your data

A leaked credential hash is a skeleton key. If your password is short or reused, offline cracking can turn that hash into your real password within hours, opening the door to your email, work systems and cloud storage. Even without cracking, a relay attack can let an intruder act as you on internal services. And because the whole thing needs no click, a single opened folder on a compromised share is enough — there is no obvious "I ran something I shouldn't have" moment to warn you.

The exposure is worst on untrusted networks. On public or shared Wi-Fi, an SMB request that escapes to the internet can be intercepted or redirected, sending your hash straight to a stranger. This is the same class of risk we describe in our explainer on how data is stolen on public Wi-Fi.

How to protect yourself

Install the latest Windows updates. Apply July 2026 Patch Tuesday and the April fix for CVE-2026-32202. Incomplete patching is exactly how this flaw survived, so do not skip cumulative updates.

Block outbound SMB (port 445). Home users almost never need SMB to reach the public internet. Blocking outbound port 445 in your firewall stops the malicious shortcut from ever reaching the attacker's server. Our overview of how a VPN, antivirus and firewall work together explains where each layer fits.

Use a VPN on untrusted networks. On hotel, café or airport Wi-Fi, routing your traffic through an encrypted tunnel keeps stray SMB and authentication traffic away from local snoopers. LiMP VPN is a no-logs service for iOS and Android — see the features and plans.

Strengthen the credential itself. Use long, unique passwords and, where possible, phishing-resistant sign-in like passkeys, so a stolen hash is far harder to abuse.

Sources

This report is based on active-exploitation warnings from CISA and Microsoft, reported by The Hacker News and Help Net Security, and covered in Russian by CNews (9 July 2026).

Zero-Click Windows Flaw Leaks Your Password Hash | LiMP VPN