Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66413

CVE-2025-66413: Git for Windows NTLM Hash Disclosure Flaw

CVE-2025-66413 is an information disclosure vulnerability in Git for Windows that allows attackers to steal NTLM hashes through malicious clones. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-66413 Overview

CVE-2025-66413 is an information disclosure vulnerability in Git for Windows, the Windows port of the popular Git version control system. This vulnerability allows attackers to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing relies on a weak cryptographic algorithm, attackers can subsequently perform offline brute-force attacks to recover the user's account name and password, potentially leading to account compromise and unauthorized access to corporate networks and resources.

Critical Impact

Attackers can steal Windows NTLM credentials when users clone from malicious Git repositories, enabling offline password cracking and potential domain compromise.

Affected Products

  • Git for Windows versions prior to 2.53.0(2)

Discovery Timeline

  • 2026-03-10 - CVE CVE-2025-66413 published to NVD
  • 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2025-66413

Vulnerability Analysis

This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw exists in how Git for Windows handles authentication when communicating with remote servers. When a user attempts to clone a repository from a malicious server, the attacker can manipulate the authentication process to coerce the Windows client into sending NTLM authentication credentials.

The network-based attack vector requires user interaction—specifically, the victim must be tricked into cloning from an attacker-controlled repository. The vulnerability has a changed scope, meaning that while the vulnerable component is Git for Windows, the impact extends to Windows domain credentials and potentially other systems where those credentials are reused.

Root Cause

The root cause lies in improper handling of authentication challenges during Git operations. When Git for Windows connects to a remote server that requests NTLM authentication, the client may automatically respond with NTLM credentials without proper validation of the server's legitimacy. This behavior allows malicious servers to capture NTLM hashes during the authentication handshake.

Attack Vector

The attack exploits the NTLM authentication protocol's inherent weaknesses combined with Git for Windows' default authentication behavior:

  1. An attacker sets up a malicious Git server configured to request NTLM authentication
  2. The attacker distributes a link to the malicious repository (via phishing, social engineering, or compromised documentation)
  3. When a victim executes git clone against the malicious server, their Windows client automatically attempts NTLM authentication
  4. The malicious server captures the NTLMv2 hash from the authentication attempt
  5. The attacker performs offline brute-force or dictionary attacks against the captured hash
  6. Upon successful cracking, the attacker obtains the victim's Windows credentials

Since NTLM is a relatively weak authentication protocol, modern password-cracking tools can efficiently recover passwords, especially those that are not sufficiently complex.

Detection Methods for CVE-2025-66413

Indicators of Compromise

  • Unusual outbound connections from git.exe to unknown or suspicious external servers
  • NTLM authentication attempts logged to unfamiliar or untrusted destinations
  • Unexpected Git clone operations in user activity logs targeting non-corporate repositories
  • Network traffic showing NTLM challenge-response sequences to external IP addresses

Detection Strategies

  • Monitor Windows Security Event Logs for Event ID 4648 (explicit credential logon) associated with git.exe processes
  • Deploy network detection rules to identify NTLM authentication traffic leaving the corporate network perimeter
  • Implement DNS monitoring to detect connections to newly registered or suspicious domains from Git processes
  • Review endpoint logs for git clone commands targeting unfamiliar repository URLs

Monitoring Recommendations

  • Enable enhanced logging for Git operations on Windows endpoints
  • Configure SIEM alerts for NTLM authentication events involving Git-related processes
  • Implement network segmentation to restrict Git traffic to approved repository servers
  • Deploy endpoint detection and response (EDR) solutions to monitor Git process behavior

How to Mitigate CVE-2025-66413

Immediate Actions Required

  • Upgrade Git for Windows to version 2.53.0(2) or later immediately on all affected systems
  • Audit recent Git clone operations to identify any connections to suspicious or unknown repositories
  • Consider resetting passwords for users who may have cloned from untrusted sources
  • Review and enforce policies restricting Git operations to approved internal and external repositories

Patch Information

The vulnerability has been addressed in Git for Windows version 2.53.0(2). Organizations should prioritize updating all installations of Git for Windows to this version or newer. The official release is available from the Git for Windows Release v2.53.0 page. Additional details about the security fix can be found in the GitHub Security Advisory GHSA-hv9c-4jm9-jh3x.

Workarounds

  • Disable automatic NTLM authentication in corporate environments where feasible
  • Configure Windows Defender Credential Guard to protect NTLM hashes from disclosure
  • Implement network-level controls to block NTLM authentication to untrusted external servers
  • Train users to verify repository URLs before executing clone operations and to avoid cloning from untrusted sources
bash
# Verify Git for Windows version
git --version
# Expected output: git version 2.53.0.windows.2 or higher

# Update Git for Windows using winget (if available)
winget upgrade Git.Git

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.