CVE-2026-21249

Q: What is the severity of CVE-2026-21249?

CVE-2026-21249 has a CVSS score of 3.3 (LOW). This vulnerability allows an unauthorized local attacker to manipulate file paths in Windows NTLM authentication, potentially enabling spoofing attacks. It affects Windows systems with NTLM enabled, primarily impacting environments where local access is possible. The low CVSS score indicates limited impact scope.

3.3 LOW

📋 TL;DR

This vulnerability allows an unauthorized local attacker to manipulate file paths in Windows NTLM authentication, potentially enabling spoofing attacks. It affects Windows systems with NTLM enabled, primarily impacting environments where local access is possible. The low CVSS score indicates limited impact scope.

💻 Affected Systems

Products:

Windows NTLM

Versions: Specific versions not detailed in reference; check Microsoft advisory for exact ranges

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with NTLM authentication enabled are vulnerable. NTLM may be disabled in some environments.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation or credential spoofing leading to unauthorized access to sensitive resources within the same system.

🟠

Likely Case

Limited local spoofing allowing an attacker to impersonate other users or services within the same machine context.

🟢

If Mitigated

Minimal impact with proper access controls and monitoring in place.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly reachable from internet.

🏢 Internal Only: MEDIUM - Local attackers or compromised accounts could exploit this within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of NTLM file path manipulation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update for specific KB number

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21249

Restart Required: No

Instructions:

1. Apply latest Windows security updates from Microsoft. 2. Verify update installation via Windows Update history. 3. No restart typically required for NTLM-related patches.

🔧 Temporary Workarounds

Disable NTLM authentication

Windows

Replace NTLM with Kerberos or other more secure authentication protocols where possible.

Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM

🧯 If You Can't Patch

Implement strict local access controls and monitor for suspicious file path manipulation attempts.
Use application allowlisting to prevent unauthorized local execution that could exploit this vulnerability.

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for missing security patches related to CVE-2026-21249.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify patch installation via 'wmic qfe list' or PowerShell 'Get-HotFix' commands looking for the relevant KB.

📡 Detection & Monitoring

Log Indicators:

Windows Security Event Logs: Event ID 4625 (failed logon) with NTLM, unusual file path access in NTLM contexts

Network Indicators:

NTLM authentication attempts with abnormal file paths in SMB or other protocols

SIEM Query:

source="Windows Security" EventCode=4625 AuthenticationPackage="NTLM" | search *path* OR *file*

📊 Metadata

CVE ID: CVE-2026-21249

CVSS v3 Score: 3.3 (LOW)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE: CWE-73

EPSS Score: 0.04% exploit probability (10.5th percentile)

Published: February 10, 2026

Last Updated: February 11, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21249 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable NTLM authentication

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities