CVE-2025-66413 Overview
CVE-2025-66413 is an information disclosure vulnerability in Git for Windows, the Windows port of the popular Git version control system. This vulnerability allows attackers to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing relies on a weak cryptographic algorithm, attackers can subsequently perform offline brute-force attacks to recover the user's account name and password, potentially leading to account compromise and unauthorized access to corporate networks and resources.
Critical Impact
Attackers can steal Windows NTLM credentials when users clone from malicious Git repositories, enabling offline password cracking and potential domain compromise.
Affected Products
- Git for Windows versions prior to 2.53.0(2)
Discovery Timeline
- 2026-03-10 - CVE CVE-2025-66413 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2025-66413
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw exists in how Git for Windows handles authentication when communicating with remote servers. When a user attempts to clone a repository from a malicious server, the attacker can manipulate the authentication process to coerce the Windows client into sending NTLM authentication credentials.
The network-based attack vector requires user interaction—specifically, the victim must be tricked into cloning from an attacker-controlled repository. The vulnerability has a changed scope, meaning that while the vulnerable component is Git for Windows, the impact extends to Windows domain credentials and potentially other systems where those credentials are reused.
Root Cause
The root cause lies in improper handling of authentication challenges during Git operations. When Git for Windows connects to a remote server that requests NTLM authentication, the client may automatically respond with NTLM credentials without proper validation of the server's legitimacy. This behavior allows malicious servers to capture NTLM hashes during the authentication handshake.
Attack Vector
The attack exploits the NTLM authentication protocol's inherent weaknesses combined with Git for Windows' default authentication behavior:
- An attacker sets up a malicious Git server configured to request NTLM authentication
- The attacker distributes a link to the malicious repository (via phishing, social engineering, or compromised documentation)
- When a victim executes git clone against the malicious server, their Windows client automatically attempts NTLM authentication
- The malicious server captures the NTLMv2 hash from the authentication attempt
- The attacker performs offline brute-force or dictionary attacks against the captured hash
- Upon successful cracking, the attacker obtains the victim's Windows credentials
Since NTLM is a relatively weak authentication protocol, modern password-cracking tools can efficiently recover passwords, especially those that are not sufficiently complex.
Detection Methods for CVE-2025-66413
Indicators of Compromise
- Unusual outbound connections from git.exe to unknown or suspicious external servers
- NTLM authentication attempts logged to unfamiliar or untrusted destinations
- Unexpected Git clone operations in user activity logs targeting non-corporate repositories
- Network traffic showing NTLM challenge-response sequences to external IP addresses
Detection Strategies
- Monitor Windows Security Event Logs for Event ID 4648 (explicit credential logon) associated with git.exe processes
- Deploy network detection rules to identify NTLM authentication traffic leaving the corporate network perimeter
- Implement DNS monitoring to detect connections to newly registered or suspicious domains from Git processes
- Review endpoint logs for git clone commands targeting unfamiliar repository URLs
Monitoring Recommendations
- Enable enhanced logging for Git operations on Windows endpoints
- Configure SIEM alerts for NTLM authentication events involving Git-related processes
- Implement network segmentation to restrict Git traffic to approved repository servers
- Deploy endpoint detection and response (EDR) solutions to monitor Git process behavior
How to Mitigate CVE-2025-66413
Immediate Actions Required
- Upgrade Git for Windows to version 2.53.0(2) or later immediately on all affected systems
- Audit recent Git clone operations to identify any connections to suspicious or unknown repositories
- Consider resetting passwords for users who may have cloned from untrusted sources
- Review and enforce policies restricting Git operations to approved internal and external repositories
Patch Information
The vulnerability has been addressed in Git for Windows version 2.53.0(2). Organizations should prioritize updating all installations of Git for Windows to this version or newer. The official release is available from the Git for Windows Release v2.53.0 page. Additional details about the security fix can be found in the GitHub Security Advisory GHSA-hv9c-4jm9-jh3x.
Workarounds
- Disable automatic NTLM authentication in corporate environments where feasible
- Configure Windows Defender Credential Guard to protect NTLM hashes from disclosure
- Implement network-level controls to block NTLM authentication to untrusted external servers
- Train users to verify repository URLs before executing clone operations and to avoid cloning from untrusted sources
# Verify Git for Windows version
git --version
# Expected output: git version 2.53.0.windows.2 or higher
# Update Git for Windows using winget (if available)
winget upgrade Git.Git
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
