CVE-2026-20872 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting Microsoft Windows 10 Version 1809 (build 10.0.17763.0). The issue arises within the NTLM authentication protocol implementation, where an attacker can externally control file names or paths used during authentication processes. This control enables an unauthenticated attacker to conduct spoofing attacks over a network, potentially tricking systems or users into accepting malicious authentication data or redirecting authentication flows. The vulnerability has a CVSS v3.1 base score of 6.5, indicating medium severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is unchanged (S:U), and the impact is primarily on confidentiality (C:H), with no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in December 2025 and published in January 2026. The lack of patches suggests that mitigation may require upgrading to newer Windows versions or applying forthcoming security updates. The vulnerability's exploitation could lead to unauthorized disclosure of sensitive information through NTLM spoofing, which could facilitate further attacks or data leakage.

For European organizations, the primary impact of CVE-2026-20872 is the potential compromise of confidentiality through NTLM spoofing attacks. Organizations relying on Windows 10 Version 1809, especially those with legacy systems or environments where NTLM authentication is still in use, are at risk. Spoofing attacks could allow attackers to impersonate legitimate users or services, leading to unauthorized access to sensitive data or network resources. This is particularly concerning for sectors handling sensitive personal data or critical infrastructure, such as finance, healthcare, and government agencies. While the vulnerability does not affect system integrity or availability directly, the confidentiality breach could facilitate subsequent attacks, including lateral movement or privilege escalation. The requirement for user interaction reduces the likelihood of widespread automated exploitation but does not eliminate targeted spear-phishing or social engineering risks. The absence of known exploits in the wild currently limits immediate impact but underscores the need for proactive mitigation. Organizations with poor patch management or extended use of outdated Windows versions face higher exposure.

1. Upgrade affected systems from Windows 10 Version 1809 to a supported and patched Windows version to eliminate the vulnerability. 2. Apply any security updates or patches released by Microsoft addressing this vulnerability as soon as they become available. 3. Restrict or disable NTLM authentication where feasible, replacing it with more secure protocols such as Kerberos or modern authentication methods. 4. Implement network-level controls to monitor and block suspicious NTLM traffic indicative of spoofing attempts. 5. Educate users about the risks of interacting with unsolicited authentication prompts or suspicious network activities to reduce the risk of user interaction exploitation. 6. Employ endpoint detection and response (EDR) solutions capable of detecting anomalous authentication behaviors. 7. Conduct regular vulnerability assessments and penetration testing focusing on authentication mechanisms to identify and remediate weaknesses. 8. Segment networks to limit the spread and impact of potential spoofing attacks. 9. Maintain robust logging and monitoring of authentication events to enable timely detection and response.