CVE-2026-20872 is a vulnerability in Microsoft Windows 10 Version 1607 (build 10.0.14393.0) related to external control of file name or path, classified under CWE-73. This flaw exists in the handling of Windows NTLM authentication, where an attacker can manipulate file paths or names externally, leading to spoofing attacks over the network. Specifically, the vulnerability allows an unauthorized attacker to craft malicious authentication requests that exploit the improper validation or sanitization of file path inputs during the NTLM process. This can result in the attacker impersonating legitimate users or services, potentially gaining unauthorized access to network resources or intercepting sensitive information. The CVSS 3.1 base score is 6.5, indicating a medium severity level, with the vector string showing network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), high confidentiality impact (C:H), no integrity or availability impact (I:N/A:N), and official fix status (RL:O) with confirmed report confidence (RC:C). No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where Windows 10 Version 1607 is still in use. The vulnerability's root cause is improper external control over file path inputs during NTLM authentication, which can be leveraged for spoofing attacks that compromise confidentiality by masquerading as trusted entities on the network.

The primary impact of CVE-2026-20872 is on confidentiality, as attackers can perform spoofing attacks to impersonate legitimate users or services within a network. This can lead to unauthorized access to sensitive data or interception of authentication credentials. Although integrity and availability are not directly affected, the ability to spoof identities can facilitate further attacks such as man-in-the-middle or lateral movement within an organization’s network. The vulnerability requires user interaction, which may limit automated exploitation but does not require any privileges, increasing the attack surface. Organizations running Windows 10 Version 1607 in critical environments, especially those relying on NTLM authentication, are at risk. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate the potential for future exploitation. The vulnerability is particularly concerning in enterprise networks where legacy systems remain operational and where NTLM authentication is still prevalent.

To mitigate CVE-2026-20872, organizations should prioritize upgrading affected systems from Windows 10 Version 1607 to a supported and patched version of Windows 10 or later. Since no official patch links are provided, contacting Microsoft support for guidance or applying any available security updates is recommended. Network administrators should restrict NTLM authentication usage where possible, favoring more secure protocols such as Kerberos. Implement network segmentation and limit exposure of vulnerable systems to untrusted or external networks to reduce attack vectors. Employ strict monitoring and logging of authentication attempts to detect anomalous or spoofed NTLM requests. User education to recognize and avoid suspicious authentication prompts can reduce the risk posed by required user interaction. Additionally, deploying endpoint protection solutions capable of detecting unusual NTLM traffic patterns can help identify exploitation attempts early. Regular vulnerability scanning and asset inventory to identify systems running the affected build are essential for targeted remediation.