FILE Windows Shell Spoofing Vulnerability (CVE-2026-32202)

Rule ID

1238218

Severity

High

Description

An LNK file using a particular CLSID can trigger a remote 0-click NTLM disclosure just by viewing the file in a File Explorer window. The disclosure of the user's NTLMv2 credentials occurs over SMB to an attacker controlled UNC.

Impact

Policy bypass

Recommendation

Update vendor's patch.

IPS Category

File vulnerabilities

IPS Anomaly Group

N/A

IPS Rule Default Action

Deny

References

CVE-2026-32202

CVE-2026-21510

T1204.002

T1203

T1187

Keywords

Windows Server 2012, Windows Server 2016, Windows Server 2019

Date Created

2026/04/14

Last Updated

2026/04/30