Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-20872

CVE-2026-20872: Windows NTLM Path Traversal Vulnerability

CVE-2026-20872 is a path traversal flaw in Windows NTLM that enables unauthorized attackers to perform spoofing attacks over a network. This article covers the technical details, affected systems, and mitigation steps.

Updated:

CVE-2026-20872 Overview

CVE-2026-20872 is an External Control of File Name or Path vulnerability (CWE-73) affecting Windows NTLM authentication. This flaw allows an unauthorized attacker to perform spoofing attacks over a network by manipulating file name or path parameters that are used in NTLM authentication flows. The vulnerability requires user interaction but can be exploited remotely without authentication, potentially leading to the disclosure of sensitive credential information.

Critical Impact

Attackers can exploit this vulnerability to perform NTLM spoofing attacks, potentially capturing NTLM hashes or redirecting authentication to malicious servers, leading to credential theft and unauthorized access to network resources.

Affected Products

  • Windows NTLM (specific versions not disclosed)
  • Windows operating systems utilizing NTLM authentication

Discovery Timeline

  • 2026-01-13 - CVE-2026-20872 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2026-20872

Vulnerability Analysis

This vulnerability stems from improper handling of externally controlled file names or paths within the Windows NTLM authentication mechanism. When NTLM processes authentication requests, it fails to properly validate or sanitize file path inputs, allowing attackers to manipulate the authentication flow. The network-based attack vector means exploitation can occur remotely, though user interaction is required to trigger the vulnerable code path. Successful exploitation results in high confidentiality impact, potentially exposing NTLM credentials or authentication tokens to unauthorized parties.

Root Cause

The root cause is classified as CWE-73 (External Control of File Name or Path). This occurs when the application uses user-controlled input to construct file names or paths without proper validation. In the context of NTLM, this can allow attackers to redirect authentication attempts or manipulate the file resources accessed during the authentication process, enabling spoofing attacks.

Attack Vector

The attack leverages the network-accessible NTLM authentication protocol. An attacker can craft malicious requests or lure a user to interact with a specially crafted resource that manipulates file path parameters in NTLM authentication. Since NTLM is commonly used in enterprise environments for Single Sign-On and resource access, successful exploitation could allow attackers to intercept authentication credentials, perform relay attacks, or impersonate legitimate users on the network.

The vulnerability requires some form of user interaction (such as clicking a link or accessing a malicious SMB share), but no prior authentication is needed by the attacker to set up the attack scenario.

Detection Methods for CVE-2026-20872

Indicators of Compromise

  • Unusual NTLM authentication attempts to external or unknown servers
  • Abnormal file path patterns in NTLM authentication logs
  • Unexpected outbound SMB connections to non-standard destinations
  • Authentication failures followed by successful authentication from different sources

Detection Strategies

  • Monitor NTLM authentication events (Windows Event ID 4776, 4624) for suspicious file path references
  • Implement network monitoring for SMB traffic to external IP addresses
  • Deploy endpoint detection rules to identify NTLM relay attack patterns
  • Configure alerting for NTLM authentication attempts to untrusted domains

Monitoring Recommendations

  • Enable extended logging for NTLM authentication events in Windows Security logs
  • Deploy network intrusion detection signatures for NTLM spoofing patterns
  • Monitor for unusual UNC path access patterns in enterprise environments
  • Implement baseline analysis for normal NTLM traffic patterns to detect anomalies

How to Mitigate CVE-2026-20872

Immediate Actions Required

  • Review and apply the latest Microsoft security updates addressing CVE-2026-20872
  • Consider restricting outbound NTLM authentication to trusted servers using Group Policy
  • Enable SMB signing to prevent relay attacks
  • Evaluate migration to more secure authentication protocols such as Kerberos where possible

Patch Information

Microsoft has released a security advisory for this vulnerability. Organizations should consult the Microsoft CVE-2026-20872 Advisory for detailed patch information and affected product versions. Apply the relevant security updates through Windows Update or WSUS as soon as they become available.

Workarounds

  • Restrict NTLM usage via Group Policy by setting "Network security: Restrict NTLM" policies
  • Block outbound SMB connections to external networks at the firewall level
  • Implement Extended Protection for Authentication (EPA) where supported
  • Consider deploying Protected Users security group membership for high-value accounts
bash
# Example: Restrict outbound NTLM via Group Policy (Registry)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v RestrictSendingNTLMTraffic /t REG_DWORD /d 2 /f

# Enable SMB Signing requirement
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 1 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne