CVE-1999-0592 is a vulnerability in Windows NT systems where the logon box displays the username of the last user who logged in. This behavior can inadvertently disclose valid usernames to unauthorized individuals who have physical or remote access to the login screen. Although this vulnerability does not directly allow an attacker to gain access or escalate privileges, it significantly aids in reconnaissance efforts by revealing valid account names. Attackers can leverage this information to launch targeted password guessing or brute-force attacks, increasing the likelihood of successful unauthorized access. The vulnerability is inherent to the design of the Windows NT logon interface and does not require any authentication or user interaction to be exploited. The CVSS score of 10 (critical) assigned here reflects the potential impact on confidentiality, integrity, and availability if combined with other attack vectors, although the direct impact of this information disclosure alone is limited. No patches are available for this issue, as it is a design characteristic of legacy Windows NT systems, and no known exploits are reported in the wild. However, the presence of this vulnerability in legacy systems still poses a security risk, especially in environments where such systems remain operational.

For European organizations, the disclosure of the last logged-in username can facilitate targeted attacks against user accounts, especially in sectors with high-value data such as finance, healthcare, and government. Attackers gaining valid usernames can attempt password spraying, brute-force, or social engineering attacks, potentially leading to unauthorized access, data breaches, and disruption of services. Given that many European organizations have legacy systems or mixed environments where Windows NT or similar systems might still be in use, this vulnerability could be exploited as part of a multi-stage attack. The impact is heightened in organizations with weak password policies or insufficient network segmentation. Additionally, compliance with GDPR and other data protection regulations could be jeopardized if unauthorized access results from exploiting this vulnerability, leading to legal and reputational consequences.

Since no patch is available for this vulnerability, organizations should implement compensating controls. First, disable the display of the last logged-in username on Windows NT systems where possible, or migrate away from legacy Windows NT systems to supported versions of Windows that do not exhibit this behavior. Implement strong password policies, including complexity requirements, account lockout thresholds, and multi-factor authentication (MFA) to reduce the risk of successful brute-force attacks. Network segmentation and limiting physical and remote access to legacy systems can reduce exposure. Monitoring and alerting on failed login attempts can help detect brute-force or password spraying activities early. Additionally, organizations should conduct regular security awareness training to mitigate social engineering risks associated with username disclosure. Finally, consider deploying endpoint detection and response (EDR) solutions to identify suspicious activities related to authentication attempts.