CVE-2026-20872

Q: What is the severity of CVE-2026-20872?

CVE-2026-20872 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows an attacker to manipulate file paths in Windows NTLM authentication, enabling network spoofing attacks. Attackers could impersonate legitimate users or systems by controlling file names or paths during NTLM exchanges. This affects systems using Windows NTLM authentication, particularly in enterprise environments.

6.5 MEDIUM

Authentication Bypass

📋 TL;DR

This vulnerability allows an attacker to manipulate file paths in Windows NTLM authentication, enabling network spoofing attacks. Attackers could impersonate legitimate users or systems by controlling file names or paths during NTLM exchanges. This affects systems using Windows NTLM authentication, particularly in enterprise environments.

💻 Affected Systems

Products:

Windows NTLM implementation

Versions: Specific versions not yet detailed in advisory; likely affects multiple Windows versions with NTLM enabled

Operating Systems: Windows Server, Windows Client versions with NTLM enabled

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with NTLM authentication enabled are vulnerable. Kerberos-only configurations may not be affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network compromise through credential theft, lateral movement across domain, and privilege escalation to domain administrator.

🟠

Likely Case

Unauthorized access to network resources, data exfiltration, and limited lateral movement within the same network segment.

🟢

If Mitigated

Isolated authentication failures or blocked connection attempts with proper network segmentation and monitoring.

🌐 Internet-Facing: MEDIUM - Requires network access to NTLM endpoints, but many internet-facing systems use modern authentication protocols.

🏢 Internal Only: HIGH - NTLM is commonly used internally, and attackers with network access can exploit this for lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to NTLM endpoints and ability to manipulate authentication flows.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20872

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft Update. 2. Restart affected systems. 3. Verify NTLM-related services are updated.

🔧 Temporary Workarounds

Disable NTLM authentication

windows

Replace NTLM with Kerberos authentication where possible

Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM

Implement network segmentation

all

Isolate systems using NTLM from untrusted networks

🧯 If You Can't Patch

Implement strict network segmentation to isolate NTLM traffic
Deploy network monitoring and IDS/IPS rules to detect NTLM manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check if systems are using NTLM authentication and have not applied the security update

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history contains the relevant security update and NTLM services are running patched versions

📡 Detection & Monitoring

Log Indicators:

Unusual NTLM authentication patterns
Failed authentication attempts with manipulated paths
Security event ID 4625 with NTLM

Network Indicators:

Abnormal NTLM traffic patterns
Suspicious file path references in authentication packets

SIEM Query:

source="windows-security" event_id=4625 authentication_package="NTLM" | search suspicious_path_patterns

📊 Metadata

CVE ID: CVE-2026-20872

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-73

EPSS Score: 0.1% exploit probability (27th percentile)

Published: January 13, 2026

Last Updated: January 15, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20872 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable NTLM authentication

Implement network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities