Microsoft Discloses Multiple Windows Spoofing Vulnerabilities Across Core Components
Microsoft published security advisories for several Windows spoofing vulnerabilities affecting core platform components, including Windows Shell Link Processing (CVE-2026-25185), Windows SMB Server (CVE-2025-48802), Windows NTLM (CVE-2025-21217), Virtual Secure Mode (CVE-2025-48813), and Windows Certificate handling (CVE-2022-21836). The flaws span identity, file handling, network services, virtualization-backed security, and certificate trust mechanisms, indicating broad exposure across enterprise Windows environments.
The advisories identify spoofing as the common impact, a class of weakness that can let attackers misrepresent files, systems, identities, or trust relationships to users and services. Organizations relying on Windows authentication, SMB-based file sharing, shortcut handling, certificate validation, and virtualization-based protections should review the affected CVEs and apply Microsoft security updates to reduce the risk of impersonation, deceptive content delivery, and trust bypass in managed environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes advisory for CVE-2026-25185
Microsoft published a Security Update Guide advisory for CVE-2026-25185, a Windows Shell Link Processing Spoofing Vulnerability.
Microsoft publishes advisory for CVE-2025-48813
Microsoft released a Security Update Guide entry for CVE-2025-48813, a Virtual Secure Mode Spoofing Vulnerability.
Microsoft publishes advisory for CVE-2025-48802
Microsoft published a Security Update Guide entry for CVE-2025-48802, a Windows SMB Server Spoofing Vulnerability.
Microsoft publishes advisory for CVE-2025-21217
Microsoft released a Security Update Guide entry for CVE-2025-21217, a Windows NTLM Spoofing Vulnerability.
Microsoft publishes advisory for CVE-2022-21836
Microsoft published security guidance for CVE-2022-21836, a Windows Certificate Spoofing Vulnerability.
Sources
6 references tracked. Mallory keeps watching after this page renders.
La réflexion NTLM est morte, vive la réflexion NTLM ! - Analyse
synacktiv.com
Open sourceCVE-2026-25185 - Security Update Guide - Microsoft - Windows Shell Link Processing Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-48813 - Security Update Guide - Microsoft - Virtual Secure Mode Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-48802 - Security Update Guide - Microsoft - Windows SMB Server Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-21217 - Security Update Guide - Microsoft - Windows NTLM Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2022-21836 - Security Update Guide - Microsoft - Windows Certificate Spoofing Vulnerability
portal.msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Windows Spoofing Flaws Including NTLM Hash Disclosure Bug
Microsoft disclosed and patched three Windows spoofing vulnerabilities affecting the **Windows Security App**, **Windows Storage**, and **NTLM** authentication components. The issues were tracked as `CVE-2025-47956`, `CVE-2025-49760`, and `CVE-2025-24054`, with the last specifically described as an **NTLM Hash Disclosure Spoofing Vulnerability**, raising the risk of credential exposure through spoofing-related attack paths. The advisories were published through Microsoft's Security Update Guide and indicate that multiple core Windows components required security fixes for spoofing weaknesses. For defenders, the disclosures highlight the need to prioritize Microsoft security updates, review systems that rely on NTLM authentication, and assess whether exposed Windows endpoints or storage-related workflows could be abused for impersonation, misleading trust signals, or credential theft.
May 25, 2026
Microsoft Patches Multiple Spoofing Flaws Exposing NTLM Hashes and Shell Links
Microsoft disclosed and patched several spoofing vulnerabilities across Windows and Exchange Server, including **NTLM hash disclosure** issues tracked as `CVE-2025-24996`, `CVE-2025-59185`, and `CVE-2025-59244`, a **Windows NTLM spoofing** flaw `CVE-2025-21217`, a **Windows Themes spoofing** bug `CVE-2025-21308`, a **Windows Shell Link Processing spoofing** issue `CVE-2026-25185`, and an older **Microsoft Exchange Server spoofing** vulnerability `CVE-2021-24085`. The advisories indicate a broad set of weaknesses that could let attackers disguise content or trigger credential exposure through trusted Windows components and enterprise messaging infrastructure. The concentration of flaws around NTLM and user-facing file handling highlights continued risk from spoofing paths that can mislead users or disclose authentication material. For defenders, the updates underscore the need to prioritize Microsoft security patches for systems handling Windows authentication, shell link processing, themes, and Exchange workloads, especially where NTLM remains enabled and could be leveraged for credential theft or follow-on intrusion.
May 25, 2026
Microsoft discloses multiple spoofing flaws in Exchange Server and OfficePlus
Microsoft published security advisories for several spoofing vulnerabilities affecting **Microsoft Exchange Server** and **Microsoft OfficePlus**, identifying `CVE-2021-41350`, `CVE-2021-42305`, `CVE-2022-41078`, `CVE-2022-41079`, and `CVE-2025-55243`. The Exchange issues span multiple advisory releases and indicate a recurring class of flaws that could allow attackers to impersonate trusted senders, services, or content within enterprise messaging environments. The disclosures show Exchange Server as the primary affected platform, with four separate spoofing CVEs listed across 2021 and 2022, while a later advisory extends the same risk category to OfficePlus. Although the referenced notices provide limited public technical detail, the affected products are widely deployed in corporate communications workflows, making spoofing weaknesses operationally significant for phishing, fraud, and trust-boundary bypass scenarios until patches are applied.
May 25, 2026