DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21249: Ghost in the Shell: Weaponizing NTLM via CVE-2026-21249

#security #cve #cybersecurity

Ghost in the Shell: Weaponizing NTLM via CVE-2026-21249

Vulnerability ID: CVE-2026-21249
CVSS Score: 3.3
Published: 2026-02-10

NTLM is the protocol that simply refuses to die. Just when you think Microsoft has finally driven a stake through its heart, another logic flaw emerges that allows attackers to coerce authentication and harvest hashes. CVE-2026-21249 is a classic 'forced authentication' vulnerability masked as a mundane path traversal issue. By manipulating file paths passed to the Windows NTLM service, a local attacker can trick the operating system into authenticating to a rogue SMB server. While the CVSS score is laughably low (3.3) due to 'local' and 'user interaction' requirements, in the hands of a skilled red teamer, this is a golden ticket for lateral movement via NTLM relaying.

TL;DR

Windows failed to validate file paths in the NTLM provider, allowing attackers to supply UNC paths (e.g., \attacker\share). This forces the victim machine to send NTLMv2 hashes to the attacker. Patch now.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-73 (External Control of File Name or Path)
  • CVSS v3.1: 3.3 (Low)
  • Attack Vector: Local / User Interaction Required
  • Impact: Credential Disclosure (NTLMv2 Hash Leaking)
  • Exploit Status: PoC Likely (Trivial to replicate)
  • Patch Date: 2026-02-10

Affected Systems

  • Windows 11 Version 26H1
  • Windows 11 Version 24H2
  • Windows 11 Version 23H2
  • Windows 10 Version 22H2
  • Windows Server 2025
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows 11 Version 26H1: < 10.0.28000.1575 (Fixed in: 10.0.28000.1575)
  • Windows Server 2025: < 10.0.26100.32370 (Fixed in: 10.0.26100.32370)
  • Windows 10 Version 22H2: < 10.0.19045.6937 (Fixed in: 10.0.19045.6937)

Exploit Details

  • Hypothetical: Standard NTLM capture using Responder and forced authentication via UNC paths.

Mitigation Strategies

  • Apply Microsoft February 2026 Security Updates immediately.
  • Restrict Outbound NTLM traffic via Group Policy.
  • Enforce SMB Signing and Encryption to prevent relay attacks.
  • Block outbound SMB (Port 445) at the perimeter and between workstations.

Remediation Steps:

  1. Identify vulnerable systems using the version list provided.
  2. Deploy the cumulative update matching your OS version (e.g., KB1234567).
  3. Reboot the system to ensure the NTLM provider DLLs are reloaded.
  4. Verify the fix by attempting to pass a UNC path to the affected component (if a PoC is available).

References

Read the full report for CVE-2026-21249 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)