CVE-2025-66413 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting Git for Windows prior to version 2.53.0(2). Git for Windows is the Windows port of the widely used Git version control system. The vulnerability arises because when a user clones a repository from a malicious Git server, the server can trick the client into sending the user's NTLM hash. NTLM (NT LAN Manager) hashes are known to be cryptographically weak and susceptible to brute-force attacks. Once the attacker obtains the NTLM hash, they can attempt offline brute-force attacks to recover the user's Windows account name and password. This attack vector requires no privileges on the victim machine and only requires the user to initiate a clone operation from a malicious server, which constitutes user interaction. The vulnerability impacts confidentiality by exposing sensitive authentication credentials but does not affect integrity or availability of the system. The CVSS v3.1 base score is 7.4, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change with high confidentiality impact. The vulnerability was publicly disclosed on March 10, 2026, and fixed in Git for Windows version 2.53.0(2). There are no known exploits in the wild at the time of disclosure. This issue highlights the risks of NTLM authentication in modern environments and the importance of validating remote Git servers before cloning.

The primary impact of this vulnerability is the exposure of NTLM hashes, which can lead to credential compromise through brute-force attacks. If attackers successfully recover user credentials, they can gain unauthorized access to Windows accounts, potentially leading to lateral movement within corporate networks, data theft, or further compromise. Organizations with developers or automated systems that clone Git repositories from external or untrusted sources are particularly vulnerable. The compromise of developer credentials can also lead to supply chain risks if attackers gain access to source code repositories or deployment pipelines. Since the vulnerability requires user interaction (cloning from a malicious server), social engineering or phishing campaigns could be used to exploit it. The scope of affected systems is significant given the widespread use of Git for Windows in software development worldwide. However, the lack of known exploits in the wild and the availability of a patch reduce immediate risk if mitigations are applied promptly.

1. Upgrade all Git for Windows installations to version 2.53.0(2) or later to apply the official patch that fixes this vulnerability. 2. Educate developers and users to avoid cloning repositories from untrusted or unknown Git servers, especially those that are not verified or internal to the organization. 3. Implement network-level controls such as firewall rules or proxy filtering to restrict outbound Git traffic to trusted servers only. 4. Use multi-factor authentication (MFA) and strong password policies to reduce the risk of compromised credentials being useful to attackers. 5. Monitor network traffic for unusual Git cloning activity or connections to suspicious servers. 6. Consider disabling NTLM authentication where possible in favor of more secure authentication protocols like Kerberos or OAuth-based methods. 7. Conduct regular audits of developer machines and credentials for signs of compromise. 8. Employ endpoint detection and response (EDR) solutions to detect anomalous behavior related to Git usage or credential dumping.