CVE-2026-20925

Q: What is the severity of CVE-2026-20925?

CVE-2026-20925 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows an attacker to manipulate file paths in Windows NTLM authentication, enabling network spoofing attacks. Attackers can potentially impersonate legitimate users or services by controlling file names or paths. Systems using Windows NTLM authentication are affected.

6.5 MEDIUM

Authentication Bypass

📋 TL;DR

This vulnerability allows an attacker to manipulate file paths in Windows NTLM authentication, enabling network spoofing attacks. Attackers can potentially impersonate legitimate users or services by controlling file names or paths. Systems using Windows NTLM authentication are affected.

💻 Affected Systems

Products:

Windows NTLM implementation

Versions: Specific Windows versions as per Microsoft advisory

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using NTLM authentication; Kerberos may not be affected. Check Microsoft advisory for exact version details.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network compromise through credential theft, lateral movement across the network, and domain controller impersonation.

🟠

Likely Case

Unauthorized access to network resources, data exfiltration, and privilege escalation within the network.

🟢

If Mitigated

Limited to isolated network segments with proper segmentation and monitoring in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires network access and ability to manipulate NTLM authentication flows.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update for specific KB number

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20925

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify patch installation via Windows Update history.

🔧 Temporary Workarounds

Disable NTLM authentication

windows

Replace NTLM with Kerberos authentication where possible

Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM

Implement network segmentation

all

Isolate systems using NTLM to limit attack surface

🧯 If You Can't Patch

Implement strict network monitoring for NTLM authentication anomalies
Enforce multi-factor authentication for all privileged accounts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and patch level against Microsoft advisory

Check Version:

wmic os get caption,version,buildnumber

Verify Fix Applied:

Verify Windows Update history contains the relevant security update KB

📡 Detection & Monitoring

Log Indicators:

Unusual NTLM authentication patterns
Failed authentication attempts from unexpected sources
File path manipulation in authentication logs

Network Indicators:

Abnormal NTLM traffic patterns
Suspicious SMB or LDAP authentication requests

SIEM Query:

source="windows-security" EventID=4625 OR EventID=4648 | where authentication_package="NTLM" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2026-20925

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-73

EPSS Score: 0.1% exploit probability (27th percentile)

Published: January 13, 2026

Last Updated: January 16, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20925 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable NTLM authentication

Implement network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities