CVE-2025-66413
📋 TL;DR
This vulnerability in Git for Windows allows attackers to steal users' NTLM password hashes by tricking them into cloning from a malicious Git server. Since NTLM hashing is cryptographically weak, attackers can potentially brute-force the actual passwords. This affects all Windows users running vulnerable versions of Git for Windows.
💻 Affected Systems
- Git for Windows
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker obtains user's NTLM hash, successfully cracks it to reveal plaintext password, and uses it to compromise the user's Windows account and any systems/services using the same credentials.
Likely Case
Attacker obtains NTLM hash through social engineering (malicious Git repository link), potentially cracking weaker passwords to gain unauthorized access to systems.
If Mitigated
With proper network segmentation, credential hygiene, and monitoring, impact is limited to potential hash exposure without successful cracking or lateral movement.
🎯 Exploit Status
Exploitation requires social engineering to trick users into cloning from attacker-controlled server. No authentication needed on victim side.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.53.0.windows.2
Vendor Advisory: https://github.com/git-for-windows/git/security/advisories/GHSA-hv9c-4jm9-jh3x
Restart Required: No
Instructions:
1. Download Git for Windows 2.53.0.windows.2 or later from official sources. 2. Run the installer. 3. Follow installation prompts. 4. Verify installation with 'git --version'.
🔧 Temporary Workarounds
Disable NTLM authentication
windowsConfigure Git to not use NTLM authentication method
git config --global http.ntlmAuth false
Use SSH instead of HTTP/HTTPS
allConfigure Git repositories to use SSH protocol instead of HTTP/HTTPS
git remote set-url origin git@github.com:user/repo.git
🧯 If You Can't Patch
- Educate users to only clone from trusted Git repositories and verify repository URLs
- Implement network monitoring for unusual Git clone requests to unknown servers
🔍 How to Verify
Check if Vulnerable:
Check Git version with 'git --version'. If version is earlier than 2.53.0.windows.2, system is vulnerable.Check Version:
git --versionVerify Fix Applied:
Run 'git --version' and confirm output shows 2.53.0.windows.2 or later.📡 Detection & Monitoring
Log Indicators:
- Git clone operations to unfamiliar or suspicious domains
- Failed authentication attempts following Git operations
Network Indicators:
- HTTP Git traffic to non-standard ports or unknown servers
- NTLM authentication requests from Git clients
SIEM Query:
source="git.log" AND (event="clone" OR event="pull") AND dest_ip NOT IN [trusted_git_servers]