Microsoft Patches Multiple Spoofing Flaws Exposing NTLM Hashes and Shell Links
Microsoft disclosed and patched several spoofing vulnerabilities across Windows and Exchange Server, including NTLM hash disclosure issues tracked as CVE-2025-24996, CVE-2025-59185, and CVE-2025-59244, a Windows NTLM spoofing flaw CVE-2025-21217, a Windows Themes spoofing bug CVE-2025-21308, a Windows Shell Link Processing spoofing issue CVE-2026-25185, and an older Microsoft Exchange Server spoofing vulnerability CVE-2021-24085. The advisories indicate a broad set of weaknesses that could let attackers disguise content or trigger credential exposure through trusted Windows components and enterprise messaging infrastructure.
The concentration of flaws around NTLM and user-facing file handling highlights continued risk from spoofing paths that can mislead users or disclose authentication material. For defenders, the updates underscore the need to prioritize Microsoft security patches for systems handling Windows authentication, shell link processing, themes, and Exchange workloads, especially where NTLM remains enabled and could be leveraged for credential theft or follow-on intrusion.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses CVE-2026-25185 in Windows Shell Link Processing
Microsoft published a Security Update Guide entry for CVE-2026-25185, describing it as a Windows Shell Link Processing spoofing vulnerability.
Microsoft discloses CVE-2025-59185 NTLM hash disclosure flaw
Microsoft published a Security Update Guide entry for CVE-2025-59185, identifying it as an NTLM hash disclosure spoofing vulnerability.
Microsoft discloses CVE-2025-59244 NTLM hash disclosure flaw
Microsoft published a Security Update Guide entry for CVE-2025-59244, identifying it as an NTLM hash disclosure spoofing vulnerability.
Microsoft discloses CVE-2025-24996 NTLM hash disclosure flaw
Microsoft published a Security Update Guide entry for CVE-2025-24996, describing it as an NTLM hash disclosure spoofing vulnerability.
Microsoft discloses CVE-2025-21217 in Windows NTLM
Microsoft published a Security Update Guide advisory for CVE-2025-21217, identifying it as a Windows NTLM spoofing vulnerability.
Microsoft discloses CVE-2025-21308 in Windows Themes
Microsoft published a Security Update Guide entry for CVE-2025-21308, describing it as a Windows Themes spoofing vulnerability.
Microsoft discloses CVE-2021-24085 in Exchange Server
Microsoft published a Security Update Guide entry for CVE-2021-24085, identifying it as a Microsoft Exchange Server spoofing vulnerability.
Sources
7 references tracked. Mallory keeps watching after this page renders.
CVE-2026-25185 - Security Update Guide - Microsoft - Windows Shell Link Processing Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-59185 - Security Update Guide - Microsoft - NTLM Hash Disclosure Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-59244 - Security Update Guide - Microsoft - NTLM Hash Disclosure Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-24996 - Security Update Guide - Microsoft - NTLM Hash Disclosure Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-21308 - Security Update Guide - Microsoft - Windows Themes Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-21217 - Security Update Guide - Microsoft - Windows NTLM Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2021-24085 - Security Update Guide - Microsoft - Microsoft Exchange Server Spoofing Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Windows Spoofing Flaws Including NTLM Hash Disclosure Bug
Microsoft disclosed and patched three Windows spoofing vulnerabilities affecting the **Windows Security App**, **Windows Storage**, and **NTLM** authentication components. The issues were tracked as `CVE-2025-47956`, `CVE-2025-49760`, and `CVE-2025-24054`, with the last specifically described as an **NTLM Hash Disclosure Spoofing Vulnerability**, raising the risk of credential exposure through spoofing-related attack paths. The advisories were published through Microsoft's Security Update Guide and indicate that multiple core Windows components required security fixes for spoofing weaknesses. For defenders, the disclosures highlight the need to prioritize Microsoft security updates, review systems that rely on NTLM authentication, and assess whether exposed Windows endpoints or storage-related workflows could be abused for impersonation, misleading trust signals, or credential theft.
May 25, 2026
Microsoft Discloses Multiple Windows Spoofing Vulnerabilities Across Core Components
Microsoft published security advisories for several **Windows spoofing vulnerabilities** affecting core platform components, including **Windows Shell Link Processing** (`CVE-2026-25185`), **Windows SMB Server** (`CVE-2025-48802`), **Windows NTLM** (`CVE-2025-21217`), **Virtual Secure Mode** (`CVE-2025-48813`), and **Windows Certificate** handling (`CVE-2022-21836`). The flaws span identity, file handling, network services, virtualization-backed security, and certificate trust mechanisms, indicating broad exposure across enterprise Windows environments. The advisories identify spoofing as the common impact, a class of weakness that can let attackers misrepresent files, systems, identities, or trust relationships to users and services. Organizations relying on Windows authentication, SMB-based file sharing, shortcut handling, certificate validation, and virtualization-based protections should review the affected CVEs and apply Microsoft security updates to reduce the risk of impersonation, deceptive content delivery, and trust bypass in managed environments.
May 25, 2026
Microsoft discloses multiple spoofing flaws in Exchange Server and OfficePlus
Microsoft published security advisories for several spoofing vulnerabilities affecting **Microsoft Exchange Server** and **Microsoft OfficePlus**, identifying `CVE-2021-41350`, `CVE-2021-42305`, `CVE-2022-41078`, `CVE-2022-41079`, and `CVE-2025-55243`. The Exchange issues span multiple advisory releases and indicate a recurring class of flaws that could allow attackers to impersonate trusted senders, services, or content within enterprise messaging environments. The disclosures show Exchange Server as the primary affected platform, with four separate spoofing CVEs listed across 2021 and 2022, while a later advisory extends the same risk category to OfficePlus. Although the referenced notices provide limited public technical detail, the affected products are widely deployed in corporate communications workflows, making spoofing weaknesses operationally significant for phishing, fraud, and trust-boundary bypass scenarios until patches are applied.
May 25, 2026