Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-21249

CVE-2026-21249: Windows 10 1607 Path Traversal Flaw

CVE-2026-21249 is a path traversal vulnerability in Windows 10 1607 NTLM that enables unauthorized attackers to perform local spoofing attacks. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-21249 Overview

CVE-2026-21249 is a local spoofing vulnerability in Windows NTLM caused by external control of file name or path (CWE-73). This vulnerability allows an unauthorized attacker to perform spoofing attacks locally by manipulating file paths within the NTLM authentication process. The flaw affects a wide range of Microsoft Windows operating systems, including both client and server editions.

Critical Impact

An attacker with local access can exploit improper file path handling in Windows NTLM to perform spoofing attacks, potentially leading to unauthorized information disclosure.

Affected Products

  • Microsoft Windows 10 (versions 1607, 1809, 21H2, 22H2)
  • Microsoft Windows 11 (versions 23H2, 24H2, 25H2)
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2022 (including 23H2)
  • Microsoft Windows Server 2025

Discovery Timeline

  • February 10, 2026 - CVE-2026-21249 published to NVD
  • February 11, 2026 - Last updated in NVD database

Technical Details for CVE-2026-21249

Vulnerability Analysis

This vulnerability stems from improper handling of externally controlled file names or paths within the Windows NTLM authentication subsystem. When NTLM processes authentication requests, it fails to properly validate or sanitize file path inputs, allowing an attacker to manipulate these paths for malicious purposes.

The vulnerability requires local access to the system and user interaction to exploit. An attacker who successfully exploits this vulnerability could gain unauthorized access to limited confidential information through spoofing techniques that abuse the NTLM authentication flow.

While the impact is constrained to confidentiality exposure without direct integrity or availability consequences, the vulnerability affects a broad range of Windows systems across both desktop and server platforms, including the latest Windows 11 and Windows Server 2025 releases.

Root Cause

The root cause of CVE-2026-21249 is classified as CWE-73 (External Control of File Name or Path). This weakness occurs when an application uses external input to construct a pathname that is intended to identify a file or directory located underneath a restricted parent directory, but fails to properly neutralize special elements within the pathname. In this case, Windows NTLM does not adequately validate file paths provided during the authentication process, enabling path manipulation attacks.

Attack Vector

The attack requires local access to the target system and depends on user interaction. An attacker must convince a user to perform an action that triggers the vulnerable NTLM authentication code path with attacker-controlled file path parameters. This could be achieved through:

  • Crafting malicious files or shortcuts that trigger NTLM authentication with manipulated paths
  • Social engineering to have a user access resources that invoke the vulnerable code
  • Leveraging other local access to inject malicious path values into NTLM requests

The vulnerability does not allow direct code execution but enables spoofing that could lead to information disclosure of limited confidential data.

Detection Methods for CVE-2026-21249

Indicators of Compromise

  • Unusual NTLM authentication events with anomalous file path references in security logs
  • Suspicious access patterns to NTLM-related system components involving non-standard file paths
  • Authentication audit logs showing path traversal sequences or unexpected directory references

Detection Strategies

  • Enable advanced NTLM auditing via Group Policy to capture detailed authentication events
  • Monitor Windows Security Event logs (Event IDs 4624, 4625) for authentication anomalies
  • Implement file integrity monitoring on critical system directories involved in NTLM operations
  • Deploy endpoint detection rules that identify path manipulation attempts in authentication workflows

Monitoring Recommendations

  • Configure Windows Event Forwarding to centralize NTLM-related security events
  • Enable verbose logging for NTLM authentication through the HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 registry key
  • Implement SIEM correlation rules to detect patterns of path manipulation in authentication contexts
  • Review authentication logs regularly for evidence of spoofing attempts or unusual path references

How to Mitigate CVE-2026-21249

Immediate Actions Required

  • Apply the latest Microsoft security updates from the February 2026 Patch Tuesday release
  • Review systems for signs of exploitation using the detection methods outlined above
  • Restrict local access to critical systems to authorized personnel only
  • Educate users about potential social engineering vectors that could trigger exploitation

Patch Information

Microsoft has released security updates to address this vulnerability. Administrators should consult the Microsoft Security Update Guide for CVE-2026-21249 for detailed patch information and download links specific to each affected Windows version. The patches address the improper file path validation in the NTLM authentication subsystem.

Workarounds

  • Consider implementing NTLM authentication restrictions where possible via Group Policy
  • Enable Extended Protection for Authentication (EPA) to add additional validation layers
  • Restrict NTLM usage in favor of Kerberos authentication where feasible using Network Security: Restrict NTLM policies
  • Apply the principle of least privilege to limit local access to sensitive systems
bash
# Restrict NTLM authentication via Group Policy (example registry configuration)
# Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
# Configure: Network Security: Restrict NTLM: NTLM authentication in this domain

# Registry equivalent for restricting outgoing NTLM traffic:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v RestrictSendingNTLMTraffic /t REG_DWORD /d 2 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne