Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable NTLM exchange with no auth or UI, but requires attacker to coerce/observe authentication (AC:H); high confidentiality from leaked material, low integrity from resulting spoofing.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
7DescriptionNVD
Exposure of sensitive information to an unauthorized actor in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
Information disclosure in Microsoft Windows NTLM authentication allows remote unauthenticated attackers to obtain sensitive data and conduct network spoofing attacks against affected Windows 10, Windows 11, and Windows Server installations. The flaw carries a CVSS 7.5 (high) rating due to high confidentiality impact with no privileges or user interaction required, though EPSS exploitation probability is low at 0.08% and no public exploit identified at time of analysis. Microsoft has released patches through MSRC for all affected SKUs.
Technical ContextAI
The vulnerability resides in Windows NTLM (NT LAN Manager), a legacy challenge-response authentication protocol still widely used across Windows domains for SMB, RPC, HTTP, and other authenticated services. The CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) classification indicates NTLM is leaking authentication material or identity data to network-positioned attackers, which can then be relayed or used to impersonate (spoof) legitimate principals. Per CPE data, the flaw spans Windows 10 1607 (x86/x64), Windows 11 22H2 (x64/ARM64), Windows Server 2004, Server 2012/2012 R2, Server 2016, and Server 2022 - indicating the affected code path is in shared core NTLM components rather than a single SKU.
RemediationAI
Apply the Microsoft security updates that bring each SKU to at or above the fixed builds listed in the MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50508): 10.0.14393.9234 for Windows 10 1607 / Server 2016, 10.0.22631.7219 for Windows 11 22H2, 10.0.19045.7417 for Windows Server 2004, 10.0.20348.5256 for Server 2022, 6.2.9200.26132 for Server 2012, and 6.3.9600.23228 for Server 2012 R2 - patch via WSUS, Intune, or Windows Update on the next Patch Tuesday cycle. Until patched, reduce NTLM exposure by enabling SMB signing and LDAP signing/channel binding to defeat relay, enforcing Extended Protection for Authentication (EPA) on IIS/Exchange/AD CS web endpoints, and restricting outbound NTLM with the 'Network security: Restrict NTLM' Group Policy where feasible - be aware that disabling NTLM outright can break legacy applications and non-domain-joined clients, so audit with NTLM auditing GPOs first. Block SMB (TCP/445) and other NTLM-bearing protocols at the network perimeter to prevent untrusted hosts from initiating authentication flows.
More in Windows 10 1607
View allWindows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables
Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker
Active Directory Domain Services contains an elevation of privilege vulnerability that allows authenticated domain users
Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the
Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulne
Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow enabling local privilege escalation
Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote atta
In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptograph
Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables
Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a se
Windows Storage contains an elevation of privilege vulnerability through symlink following that allows authorized attack
Windows Ancillary Function Driver for WinSock contains a use-after-free enabling local privilege escalation through a nu
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35529
GHSA-hr5m-mp7v-gw8f