CVE-2026-20925 is a vulnerability classified under CWE-73 (External Control of File Name or Path) that affects Microsoft Windows 10 Version 1809 (build 10.0.17763.0). The vulnerability arises from improper handling of file names or paths within the NTLM authentication process, which is a legacy authentication protocol still widely used in many enterprise environments. An attacker can exploit this flaw remotely over the network without requiring privileges but does require some form of user interaction, such as convincing a user to authenticate to a malicious server or resource. By controlling the file name or path externally, the attacker can perform spoofing attacks that may lead to unauthorized disclosure of sensitive information or impersonation of legitimate users. The vulnerability impacts confidentiality by potentially exposing authentication tokens or credentials but does not directly compromise integrity or availability of systems. No patches or official fixes have been released at the time of publication, and no known exploits are reported in the wild, indicating that the threat is currently theoretical but with a realistic attack vector. The vulnerability's CVSS v3.1 score is 6.5, reflecting a medium severity level due to network attack vector, low attack complexity, no privileges required, but requiring user interaction and impacting confidentiality. This vulnerability is particularly relevant for organizations still running Windows 10 Version 1809, especially in environments where NTLM authentication remains enabled or fallback mechanisms are in place. Given the persistence of NTLM in many legacy systems, the risk of exploitation remains significant until mitigations or patches are applied.

For European organizations, this vulnerability poses a risk primarily to confidentiality, as attackers could spoof NTLM authentication requests to intercept or manipulate authentication data. This could lead to unauthorized access to sensitive systems or data, particularly in sectors relying on legacy Windows 10 systems and NTLM authentication, such as government, healthcare, finance, and critical infrastructure. The attack does not directly impact system integrity or availability but could serve as a stepping stone for further lateral movement or privilege escalation within networks. Organizations with remote or hybrid workforces using VPNs or remote desktop services may be more exposed due to increased network attack surfaces. The lack of available patches increases the urgency for interim mitigations. The medium severity rating suggests that while the threat is serious, it is not immediately critical but should be addressed promptly to avoid exploitation as threat actors develop weaponized exploits.

1. Disable or restrict NTLM authentication where possible, migrating to more secure protocols such as Kerberos or modern authentication frameworks. 2. Implement strict network segmentation and firewall rules to limit exposure of NTLM authentication traffic to trusted systems only. 3. Enable and enforce SMB signing and channel binding to reduce the risk of NTLM relay and spoofing attacks. 4. Monitor network traffic and authentication logs for unusual NTLM authentication attempts or anomalies indicative of spoofing or replay attacks. 5. Educate users about phishing and social engineering tactics that could trigger user interaction required for exploitation. 6. Apply any forthcoming patches or security updates from Microsoft promptly once available. 7. Use endpoint detection and response (EDR) tools to detect suspicious activities related to authentication processes. 8. Review and harden Group Policy settings related to authentication protocols and legacy fallback mechanisms. 9. Conduct regular vulnerability assessments and penetration testing focusing on authentication mechanisms. 10. Maintain an inventory of systems running Windows 10 Version 1809 and plan for upgrades to supported versions with enhanced security features.