CVE-2026-20872 is a vulnerability categorized under CWE-73 (External Control of File Name or Path) affecting Microsoft Windows 10 Version 1809 (build 10.0.17763.0). The issue arises from improper handling of file names or paths within the NTLM authentication mechanism, which is a legacy authentication protocol used in Windows environments. An attacker without any privileges can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no privileges required (PR:N), but user interaction is necessary (UI:R). The vulnerability allows an attacker to perform spoofing attacks by manipulating the file path or name used during NTLM authentication, potentially redirecting authentication requests or responses to malicious endpoints. This can lead to unauthorized disclosure of sensitive information (confidentiality impact is high), but does not affect integrity or availability. The scope remains unchanged (S:U), meaning the impact is limited to the vulnerable component. No known exploits have been observed in the wild, and no official patches have been released yet. The vulnerability was reserved in December 2025 and published in January 2026. Given the reliance on NTLM in many enterprise environments, especially those with legacy systems, this vulnerability poses a moderate risk until mitigated.

For European organizations, the primary impact is the potential compromise of sensitive authentication data due to spoofing attacks exploiting NTLM. This can lead to unauthorized access to network resources, data leakage, and potential lateral movement within corporate networks. Organizations relying on Windows 10 Version 1809, particularly those that have not upgraded to newer Windows versions or disabled NTLM, are vulnerable. Critical sectors such as finance, government, and healthcare, which often use legacy authentication protocols for compatibility reasons, face elevated risks. The confidentiality breach could expose personal data protected under GDPR, leading to regulatory and reputational consequences. However, as the vulnerability does not affect system integrity or availability, direct disruption of services is less likely. The requirement for user interaction reduces the likelihood of widespread automated exploitation but does not eliminate targeted attack risks.

1. Disable or restrict NTLM authentication where possible, replacing it with more secure protocols such as Kerberos or modern authentication frameworks. 2. Implement network segmentation and strict access controls to limit exposure of systems running Windows 10 Version 1809. 3. Monitor network traffic and authentication logs for unusual NTLM activity or signs of spoofing attempts. 4. Educate users about the risks of interacting with suspicious authentication prompts or network resources. 5. Apply any future patches or security updates from Microsoft promptly once released. 6. Use endpoint detection and response (EDR) tools to detect anomalous behavior related to NTLM authentication. 7. Consider upgrading affected systems to supported Windows versions that do not have this vulnerability. 8. Employ multi-factor authentication (MFA) to reduce the impact of credential compromise. 9. Review and harden Group Policy settings related to NTLM usage and authentication protocols.