Skip to main content

Windows NTLM CVE-2026-50508

| EUVDEUVD-2026-35529 HIGH
Information Exposure (CWE-200)
2026-06-09 secure@microsoft.com GHSA-hr5m-mp7v-gw8f
7.5
CVSS 3.1 · NVD
Temporal: 5.7
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CIRCL (temporal)
5.7 MEDIUM
cvss
vuln.today AI
6.5 MEDIUM

Network-reachable NTLM exchange with no auth or UI, but requires attacker to coerce/observe authentication (AC:H); high confidentiality from leaked material, low integrity from resulting spoofing.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 18, 2026 - 03:51 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 18, 2026 - 03:50 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 18, 2026 - 03:38 vuln.today
cvss_changed
Severity Changed
Jun 18, 2026 - 03:38 NVD
MEDIUM HIGH
CVSS changed
Jun 18, 2026 - 03:38 NVD
6.5 (MEDIUM) 7.5 (HIGH)
Analysis Generated
Jun 09, 2026 - 19:02 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 6.5

DescriptionNVD

Exposure of sensitive information to an unauthorized actor in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

Information disclosure in Microsoft Windows NTLM authentication allows remote unauthenticated attackers to obtain sensitive data and conduct network spoofing attacks against affected Windows 10, Windows 11, and Windows Server installations. The flaw carries a CVSS 7.5 (high) rating due to high confidentiality impact with no privileges or user interaction required, though EPSS exploitation probability is low at 0.08% and no public exploit identified at time of analysis. Microsoft has released patches through MSRC for all affected SKUs.

Technical ContextAI

The vulnerability resides in Windows NTLM (NT LAN Manager), a legacy challenge-response authentication protocol still widely used across Windows domains for SMB, RPC, HTTP, and other authenticated services. The CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) classification indicates NTLM is leaking authentication material or identity data to network-positioned attackers, which can then be relayed or used to impersonate (spoof) legitimate principals. Per CPE data, the flaw spans Windows 10 1607 (x86/x64), Windows 11 22H2 (x64/ARM64), Windows Server 2004, Server 2012/2012 R2, Server 2016, and Server 2022 - indicating the affected code path is in shared core NTLM components rather than a single SKU.

RemediationAI

Apply the Microsoft security updates that bring each SKU to at or above the fixed builds listed in the MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50508): 10.0.14393.9234 for Windows 10 1607 / Server 2016, 10.0.22631.7219 for Windows 11 22H2, 10.0.19045.7417 for Windows Server 2004, 10.0.20348.5256 for Server 2022, 6.2.9200.26132 for Server 2012, and 6.3.9600.23228 for Server 2012 R2 - patch via WSUS, Intune, or Windows Update on the next Patch Tuesday cycle. Until patched, reduce NTLM exposure by enabling SMB signing and LDAP signing/channel binding to defeat relay, enforcing Extended Protection for Authentication (EPA) on IIS/Exchange/AD CS web endpoints, and restricting outbound NTLM with the 'Network security: Restrict NTLM' Group Policy where feasible - be aware that disabling NTLM outright can break legacy applications and non-domain-joined clients, so audit with NTLM auditing GPOs first. Block SMB (TCP/445) and other NTLM-bearing protocols at the network perimeter to prevent untrusted hosts from initiating authentication flows.

CVE-2025-33053 HIGH POC
8.8 Jun 10

Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables

CVE-2025-33073 HIGH POC
8.8 Jun 10

Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker

CVE-2025-21293 HIGH POC
8.8 Jan 14

Active Directory Domain Services contains an elevation of privilege vulnerability that allows authenticated domain users

CVE-2025-30397 HIGH POC
7.5 May 13

Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the

CVE-2025-32706 HIGH POC
7.8 May 13

Windows CLFS Driver contains an input validation flaw enabling local privilege escalation, yet another CLFS kernel vulne

CVE-2025-21418 HIGH
7.8 Feb 11

Windows Ancillary Function Driver for WinSock contains a heap-based buffer overflow enabling local privilege escalation

CVE-2026-21510 HIGH POC
8.8 Feb 10

Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote atta

CVE-2025-47827 MEDIUM POC
4.6 Jun 05

In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptograph

CVE-2026-21519 HIGH
7.8 Feb 10

Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables

CVE-2025-32701 HIGH
7.8 May 13

Windows Common Log File System Driver contains another use-after-free for local privilege escalation, the latest in a se

CVE-2025-21391 HIGH
7.1 Feb 11

Windows Storage contains an elevation of privilege vulnerability through symlink following that allows authorized attack

CVE-2025-32709 HIGH
7.8 May 13

Windows Ancillary Function Driver for WinSock contains a use-after-free enabling local privilege escalation through a nu

Share

CVE-2026-50508 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy