CVE-2026-21249 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting Microsoft Windows 10 Version 1607 (build 10.0.14393.0). The issue arises from the NTLM authentication process where an attacker with local access can manipulate file names or paths used by the system, enabling spoofing attacks. Spoofing here implies that the attacker can deceive the system or users by presenting falsified file paths or names, potentially leading to misdirected operations or data exposure. The vulnerability requires local access and user interaction, meaning an attacker must be able to execute code or actions on the affected machine and trick a user into triggering the exploit. The CVSS v3.1 score is 3.3, indicating low severity, primarily because the attack vector is local, no privileges are required, but user interaction is necessary, and the impact on confidentiality is limited with no effect on integrity or availability. No known exploits have been reported in the wild, and no official patches have been released at the time of publication. This vulnerability is relevant mainly to legacy systems still running Windows 10 Version 1607, which reached end of mainstream support years ago, but may still be in use in some environments. The flaw highlights the risks of outdated OS versions and the importance of maintaining up-to-date systems. Attackers exploiting this vulnerability could potentially spoof file paths to mislead users or software components, possibly facilitating further local attacks or evasion of security controls.

For European organizations, the impact of CVE-2026-21249 is generally low due to the limited scope and conditions required for exploitation. However, organizations still operating legacy Windows 10 Version 1607 systems, particularly in critical infrastructure sectors such as manufacturing, healthcare, or government, could face localized risks. Spoofing attacks leveraging this vulnerability might enable attackers to mislead users or software processes, potentially leading to unauthorized access to local resources or bypassing security mechanisms. While the vulnerability does not directly compromise system integrity or availability, it could be used as a stepping stone for more complex local attacks if combined with other vulnerabilities. The requirement for local access and user interaction limits remote exploitation, reducing the threat surface. Nonetheless, in environments with shared workstations or insufficient endpoint security, the risk is elevated. European organizations with strict compliance requirements should consider this vulnerability in their risk assessments, especially if legacy systems are still in operation.

To mitigate CVE-2026-21249 effectively, European organizations should prioritize upgrading affected systems from Windows 10 Version 1607 to a supported and patched Windows version to eliminate the vulnerability entirely. In the interim, restrict local user privileges to the minimum necessary to reduce the risk of local exploitation. Implement strict application whitelisting and endpoint detection and response (EDR) solutions to monitor and block suspicious local activities that could exploit file path manipulation. Educate users about the risks of interacting with untrusted local files or prompts that could trigger spoofing attacks. Regularly audit and harden NTLM authentication configurations, considering disabling NTLM where feasible in favor of more secure protocols like Kerberos. Employ network segmentation to limit the impact of compromised local accounts. Since no patches are currently available, maintaining robust local security controls and planning timely OS upgrades are critical. Additionally, monitor security advisories from Microsoft for any forthcoming patches or mitigations related to this vulnerability.