Incomplete Windows Patch Leaves Login Credentials Exposed
A February Windows patch turned out to be only half a fix. Now the gap it left is being actively exploited to steal logins, with no clicking required from.
By The Dragon Digital team ·
Microsoft has confirmed that a Windows security flaw called CVE-2026-32202 is being actively exploited right now. What makes this one uncomfortable is that it exists because Microsoft’s original patch from February was incomplete.
Here is what happened. In February, Microsoft patched a flaw that Russian state hackers were already using. The patch blocked the original attack but, as researchers at Akamai discovered, left a secondary vulnerability wide open. That gap became CVE-2026-32202, and it is arguably worse than the problem it replaced: an attacker can steal a user’s login credentials without that person clicking anything, opening any attachment, or doing anything wrong at all.
All a user has to do is view a folder in Windows Explorer that contains a malicious shortcut file. Not open it. Just view it. Windows automatically tries to read the file’s contents, and in doing so quietly sends the user’s login details to the attacker’s server. Once those credentials are in the wrong hands, the attacker can impersonate that user and move around the network.
Why this matters for North Wales businesses
If your business has shared PCs, a reception desk, a server with a shared network drive, or staff who open folders from email attachments, this is relevant to you. There is no phishing link to spot, no suspicious behaviour to warn people about. The usual advice of “just don’t click dodgy links” does not apply here.
The flaw was initially flagged as low risk when first patched on 14 April, but Microsoft has since reclassified it as actively exploited. That shift matters. It moves this from “patch at your next maintenance window” to “check this has been done now”.
What to do
The fix is already in the April 14 Windows security updates. On most business PCs, these will have installed automatically. But it is worth confirming, particularly if you are running Windows 11 version 24H2 or 25H2, where the relevant cumulative update is KB5083769.
A word of caution: that same update has caused some issues with Outlook and network browsing on certain systems, so it is worth knowing what to expect. If you are on an older version of Windows, or updates have been paused for any reason, flag this with whoever looks after your IT.
The broader point is a familiar one. Patches fix things, but they do not always fix everything in one go. It is one of the less glamorous reasons why having someone keep an eye on security advisories on your behalf is genuinely useful, not just a nice-to-have.
Worth getting sorted this week.
Could your business use a hand with its IT?
We provide managed IT support, cyber security and more to businesses across North Wales.
Related guides
- Cybersecurity
Android Microsoft 365 apps needed urgent patching, is yours up to date?
A debug flag left on in six Microsoft 365 Android apps let other apps silently steal login tokens. The patch is out, here’s what to check.
- ComplianceCybersecurity
Windows domain controllers under active attack, is yours patched?
A critical Windows flaw is being actively exploited right now. The patch has been available for three weeks. Here’s what it means for your business and what.
- Cybersecurity
Lookalike domain scams: what your business needs to know
Attackers register near-identical misspellings of trusted company names to steal credentials. Standard email filters miss them. Here’s what actually helps.