CVE-2026-20925 is a vulnerability categorized under CWE-73 (External Control of File Name or Path) affecting Microsoft Windows 10 Version 1607, specifically build 10.0.14393.0. The vulnerability arises from improper handling of file names or paths controlled externally within the NTLM authentication protocol. NTLM, a legacy authentication protocol used in Windows environments, can be manipulated by an attacker to perform spoofing attacks over a network. This means an attacker can craft malicious requests or resources that cause the system to reference or load unintended files or paths, potentially leading to unauthorized disclosure of sensitive information. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R), and impacts confidentiality (C:H) without affecting integrity or availability. The scope is unchanged (S:U), meaning the vulnerability affects only the vulnerable component. No known exploits are currently reported in the wild, and no patches have been linked yet, suggesting this is a newly disclosed vulnerability. The vulnerability was reserved in December 2025 and published in January 2026. Given the age of Windows 10 Version 1607, many organizations may still have systems running this build, especially in legacy or industrial environments. The flaw could be exploited by attackers to spoof network identities or resources, potentially leading to data leakage or unauthorized access to network services relying on NTLM authentication.

The primary impact of this vulnerability is on confidentiality, as attackers can exploit the external control of file names or paths to perform spoofing attacks that may lead to unauthorized disclosure of sensitive information. While integrity and availability are not directly affected, the ability to spoof network resources can facilitate further attacks such as man-in-the-middle or credential theft. Organizations using Windows 10 Version 1607 with NTLM enabled are at risk, particularly in environments where legacy authentication protocols remain in use due to compatibility requirements. This vulnerability could be leveraged in targeted attacks against enterprises, government agencies, or critical infrastructure relying on older Windows systems. The medium severity rating reflects the moderate risk posed by the vulnerability, considering the need for user interaction and the absence of privilege requirements. However, the widespread use of Windows 10 and NTLM in many organizations globally means the potential attack surface is significant. Exploitation could undermine trust in network authentication and lead to lateral movement within compromised networks.

To mitigate CVE-2026-20925, organizations should first assess their environment for the presence of Windows 10 Version 1607 systems and prioritize upgrading to supported, patched versions of Windows 10 or later. Where upgrading is not immediately feasible, disabling NTLM authentication or restricting its use through Group Policy can reduce exposure, as NTLM is the protocol exploited by this vulnerability. Network segmentation and the use of strong authentication protocols such as Kerberos should be enforced to limit the impact of spoofing attempts. Implementing network-level monitoring and intrusion detection systems to identify anomalous NTLM traffic or spoofing indicators can provide early warning of exploitation attempts. User education to recognize and avoid interacting with suspicious network resources or links can reduce the risk posed by the required user interaction. Organizations should monitor for official patches or updates from Microsoft and apply them promptly once available. Additionally, applying strict access controls on file shares and network resources can limit the potential for attackers to leverage this vulnerability effectively.