Your Windows PC Just Got Weaponised by Russian Intelligence. What Are You Doing About It?
A zero-click Windows vulnerability is being actively weaponised by Russian military intelligence. Five router flaws scored 9.8 overnight with public exploits already circulating. This is the threat picture for UK small businesses on 29 April 2026.
Two stories. Both require action before the end of the week.
Story One: APT28 Is Inside Windows Without a Click
CVE-2026-32202 is a Windows Shell security feature bypass. It stems from an incomplete patch for a previous vulnerability. The exploit chain allows authentication coercion without any user interaction: no phishing email to avoid, no malicious attachment to decline, no suspicious link to ignore.
The group exploiting it is APT28. That name may not mean much in isolation, so here is the context: APT28 is GRU Unit 26165, Russian military intelligence. They were responsible for the 2016 breach of Democratic National Committee infrastructure. They were involved in the NotPetya campaign that caused an estimated $10 billion in global damages. They are not opportunistic criminals looking for easy targets. They are a state-sponsored offensive unit with specific objectives.
Defender SmartScreen, the Windows feature that normally provides a warning layer when executing potentially dangerous files, is bypassed by this vulnerability. The protection you thought you had is not functioning as expected.
Microsoft’s April 2026 Patch Tuesday addressed this. The relevant updates are KB5083769 for Windows 11 versions 25H2 and 24H2, and KB5083768 for Windows 11 version 26H1. If those updates have not been applied to your machines, the exposure is live and actively exploited.
There is a secondary complication. Microsoft has also confirmed that the April update introduced a rendering bug in Remote Desktop Protocol (RDP) security warning dialogs. The warnings may display incorrectly on certain system configurations. This matters because staff connecting remotely may not see accurate security prompts. The update still needs to be applied. The RDP display issue is a known bug with a fix in progress, not a reason to delay patching.
Story Two: Five Router Vulnerabilities Scored 9.8 Overnight
Separately from the Windows issue, five critical vulnerabilities were published against the Totolink A8000RU router on 28 April 2026. All five carry a CVSS score of 9.8, the near-maximum severity rating. A sixth vulnerability, CVE-2026-7248, affects the D-Link DI-8100.
All six allow remote OS command injection. In plain terms: an attacker with network access to the device can execute arbitrary commands on it without needing to be physically present. All six exploits have been publicly disclosed and are available for use right now.
The Totolink A8000RU is a consumer-grade router that has found its way into small business environments and home offices. The D-Link DI-8100 is an older business-grade device. Both are the kind of hardware that gets purchased, configured once, and forgotten.
The vulnerability surface here is the CGI handler, the component that processes web-based configuration requests. The affected functions include VPN account configuration, WiFi settings, OpenVPN client configuration, and guest network settings. These are not obscure internal functions. They are the standard management interface.
For a business whose staff work remotely through a compromised router, the implications are significant. Traffic can be intercepted. Credentials captured in transit can be replayed. Internal network access can be established.
What the Combination Means
Taken individually, each of these stories is a serious concern. Taken together, they describe a scenario that threat intelligence teams spend considerable time modelling: unpatched Windows endpoints operating behind compromised network infrastructure.
APT28 does not restrict its operations to government or enterprise targets. Supply chain compromise is a documented tactic. A small accountancy firm, a solicitors’ practice, or a healthcare supplier that connects to larger organisations is a viable entry point. The value is not in the small business itself; the value is in the access it provides.
The router vulnerabilities are less likely to be APT28 tradecraft and more likely to attract opportunistic criminal groups. The result at the endpoint level is similar: a network that cannot be trusted.
Why This Gives You an Edge
Organisations that patch promptly and audit their network hardware regularly operate in a materially different risk profile from those that do not. That is not a marketing claim; it is what the data consistently shows.
If you can demonstrate to a prospective client or partner that your systems are current, that your network hardware is not running firmware from 2020, and that you have a documented process for responding to threat intelligence, you are differentiating yourself from the majority of businesses your size.
Cyber Essentials certification requires that software is updated with security patches within 14 days of release. The April Patch Tuesday updates are already approaching that threshold. Compliance with CE+ is not a substitute for genuine security posture, but in this instance the requirement aligns with the correct action.
Making the Business Case
Three points for a board or budget conversation:
The threat actor is named and documented. APT28 is not an abstract concept. It is a specific unit of Russian military intelligence with a public record of high-impact operations. This is not vendor fear-mongering; it is attributable, evidenced threat activity.
The router vulnerabilities have public exploits. CVSS 9.8 with publicly disclosed exploits means that automated scanning tools will find and attempt to exploit these devices without any human decision-making on the attacker’s side. The window between disclosure and exploitation is measured in hours, not weeks.
Unpatched systems create liability. Under UK GDPR, organisations are required to implement appropriate technical measures to protect personal data. Operating knowingly unpatched systems following a public critical disclosure is a difficult position to defend before the ICO if a breach follows.
What to Do Before Friday
-
Verify April Patch Tuesday is applied. On Windows 11 machines, check Settings, Windows Update, Update History. Confirm KB5083769 or KB5083768 appears. If your MSP manages patching, ask them to confirm in writing that it has been deployed to all endpoints. Not “scheduled”. Applied.
-
Identify your router hardware. Check the model of every router in your office environment and any remote workers using business-provided equipment. If you find a Totolink A8000RU or D-Link DI-8100, isolate it from business-critical traffic immediately and arrange replacement. These devices have no available patch.
-
Check your home office hardware. Staff connecting to business systems from home are doing so through domestic routers that may never have received a firmware update. A compromised home router is a direct path to your business network. Establish a minimum standard and enforce it.
-
Review RDP exposure. The April update introduced a display issue with RDP security warnings. While this does not create a new vulnerability, it reduces the reliability of a warning mechanism your staff may depend on. Review who has RDP access and whether it is exposed to the internet directly. If it is, that requires urgent attention regardless of this specific bug.
-
Ask your MSP for a current asset list. If you cannot answer questions one and two above because you do not know what hardware and software your business is running, that is the first problem to solve. An MSP that cannot provide an up-to-date asset inventory within 24 hours of being asked is not providing a managed service; they are providing a support contract with an asset blindspot.