Microsoft has assigned CVE-2026-20925 to a newly confirmed vulnerability that can expose Windows NTLM authentication data when users simply browse or preview a malicious file in File Explorer. The flaw is an information-disclosure and spoofing weakness that, if exploited, lets attackers behind a remote SMB server capture NTLMv2 challenge-response blobs—the digital keys that prove a user’s identity on many corporate networks. No security update is available yet, but practical mitigations can sharply reduce risk today.
What happens when you open a booby-trapped file?
The attack plays out in three subtle steps. First, an attacker crafts a file—a document, archive, or even a shortcut—that contains a hidden reference to an external resource, often a UNC path like \\malicious-server\share. Next, when you view that file in File Explorer or a preview pane, Windows tries to resolve the reference by contacting the remote server over SMB. That’s normal behavior for things like document templates, icons, or linked images. But during the connection setup, Windows automatically sends an NTLM authentication handshake under your user account, including an NTLMv2 response blob.
The attacker’s server simply records that blob. It’s not a plaintext password, but it can be cracked offline to reveal your real network password, or relayed to other internal services that trust NTLM, effectively letting the attacker impersonate you. No security dialog ever pops up; no warning is given. The entire transaction can happen in the blink of an eye as soon as you click on the file or even just highlight it in a folder.
This class of leak—often called “NTLM hash disclosure” or “coerced authentication”—has been a recurring theme in Windows. Previous CVEs (e.g., CVE-2025-24054, CVE-2024-38063) exploited similar mechanisms, and Microsoft’s advisory confirms CVE-2026-20925 is a new variant. The exact file type or preview handler involved has not been disclosed, but historical precedent points to parsers for common formats like Office documents, PDFs, or even .library-ms folder files. Until the technical write‑up and KB articles drop, administrators should assume it affects all currently supported Windows versions.
Who should be worried right now?
The practical danger isn’t equal for everyone. Attackers typically need to lure a victim into opening or previewing a malicious file, which means home users who avoid dubious downloads are not immediate targets—though never zero. The true pressure falls on enterprise environments:
- Privileged users: Domain admins, help-desk operators, and anyone with broad access rights who often opens attachments (for example, in legal, HR, or procurement roles). Leaking their NTLM blob can have catastrophic lateral-movement consequences.
- VDI and jump host machines: These endpoints are often used to bridge into sensitive networks; an exploit here hands attackers a key to the kingdom.
- Servers that process untrusted content: Mail gateways, document-scanning appliances, or any system that extracts or renders uploaded files automatically could be tricked into leaking their machine credentials.
- Networks with SMB egress allowed: If your firewall doesn’t block outbound connections on TCP ports 139 and 445 to the internet, or if your internal machines can reach unknown SMB servers, the attack surface widens dramatically.
If your organization still relies on NTLM for authentication (and many do, especially in older Active Directory setups), this vulnerability deserves an immediate operational response—even before a patch ships.
A familiar pattern: how we got here
NTLM is ancient technology, dating back to Windows NT. Microsoft has been pushing Kerberos as the modern replacement for years, but backward compatibility means NTLM still lurks everywhere. Over the last two years, a string of high-profile CVEs showed how easy it is to coax Windows components into unwanted NTLM handshakes. In 2024, for instance, CVE-2024-38063 involved a specially crafted IPv6 packet that could force a Windows server to authenticate to an attacker’s server. Early 2025 brought CVE-2025-24054, a File Explorer preview-pane flaw that leaked NTLM blobs when merely viewing a folder containing a malicious .library-ms file.
Microsoft’s response has often been a mix of targeted patches and broader behavioral hardening—such as preventing File Explorer from rendering previews of files that carry the Mark‑of‑the‑Web (indicating they came from the internet). Those measures help, but they aren’t bulletproof. Each new CVE finds a fresh parsing quirk or metadata trigger that slips past existing defenses. CVE‑2026‑20925 is the latest such find. The company’s Security Update Guide page confirms the ID and describes it as an information-disclosure / spoofing vulnerability in NTLM, but the entry currently lacks full technical detail and official KB numbers. That’s normal for a staged disclosure: Microsoft often publishes the bare identifier first to give defenders a heads-up while the final patch packages are being assembled.
What you can do right now to protect your systems
No patch? No problem—well, not entirely. While we wait for an official fix, a handful of proven mitigations can drastically reduce your exposure. These are the same measures that blunted the impact of earlier NTLM leaks and are considered best practice regardless.
1. Disable the File Explorer preview pane and thumbnail generation on sensitive hosts
This is the single most effective low‑cost kill switch. On administrative workstations, jump hosts, and document‑triage VMs:
- Open File Explorer, go to the View tab, and ensure Preview pane is off (or press Alt + P).
- To disable thumbnail caching, go to Folder Options → View and check “Always show icons, never thumbnails.”
- For enterprise rollouts, use Group Policy: navigate to User Configuration\Administrative Templates\Windows Components\File Explorer and enable “Turn off the display of thumbnails and only display icons.”
2. Block outbound SMB to untrusted networks
SMB should never leave your corporate perimeter. On your edge firewalls, block:
- TCP port 445 (SMB over TCP)
- TCP port 139 (NetBIOS session)
- UDP ports 137‑138 (NetBIOS name service, rarely used but still risky)
Internally, segment networks so that only authorized file servers accept SMB connections. Windows Firewall rules can enforce this per endpoint: create an outbound rule blocking ports 445 and 139 to all IP addresses except your approved file servers. Test carefully before wide deployment.
3. Harden authentication with SMB signing and NTLM restrictions
- Enable SMB signing domain‑wide. In Group Policy, go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options and set “Microsoft network client: Digitally sign communications (always)” to Enabled. This makes relay attacks far harder.
- Restrict NTLM usage via the “Network security: Restrict NTLM” policies. Start with auditing mode to discover which applications still rely on NTLM, then gradually block it for those that don’t.
- If your environment allows, disable NTLM entirely in favor of Kerberos. The policy “Network security: Restrict NTLM: NTLM authentication in this domain” can be configured to deny all.
4. Monitor for suspicious Explorer behavior
Use your EDR or SIEM to alert on:
- explorer.exe making outbound SMB/UNC connections to anything other than known internal file servers. A single alert could be the first sign of an exploit attempt.
- NTLM authentication attempts from endpoints where such traffic is unusual.
- Bulk unblocking of downloaded files (e.g., PowerShell scripts that strip the Mark‑of‑the‑Web). Track Event ID 5152 on Windows Firewall for SMB‑related blocks.
5. Keep an eye on the official advisory
Bookmark the MSRC page for CVE-2026-20925. Microsoft will update it with KB article numbers and direct download links once patches are ready. Subscribe to your preferred security mailing lists or vendor feeds so you don’t miss when the fix drops.
Long‑term defenses: moving beyond NTLM
While short‑term mitigations are essential, the only real cure is to reduce your dependence on NTLM. Start auditing your environment now:
- Identify all services and applications that use NTLM (tools like Microsoft’s NTLM Auditing package or security vendors’ scanners can help).
- Migrate those to Kerberos, modern web authentication, or Azure AD Integrated credentials.
- For legacy systems that absolutely cannot move, tightly restrict their network access and monitor their NTLM traffic aggressively.
- Consider implementing “protected users” security groups for admin accounts, which prevent NTLM authentication entirely and force Kerberos.
These architectural changes take time, but they transform the value of any future NTLM leak bug from “code red” to “mild yellow.”
What to watch next
Microsoft’s advisory is still in its early stage. In the coming weeks, expect:
- KB articles mapping the fix to specific Windows builds (likely Windows 10, Windows 11, and Windows Server 2016‑2025).
- Technical write‑ups from researchers who will reverse‑engineer the patch and publish precise exploit triggers.
- Possible reports of in‑the‑wild exploitation, given how quickly similar NTLM flaws were weaponized in the past.
For now, the most important action is to assume the vulnerability is real and exploitable. Apply the mitigations above, especially on high‑value targets. A few configuration changes today can prevent a nightmare breach tomorrow. Check the MSRC page frequently, and when the patch lands, deploy it with the same urgency you would for any critical remote code execution flaw. NTLM credential leaks may lack the immediate spectacle of ransomware, but they are the silent first domino in many of the worst breaches.