Microsoft Patches Windows Spoofing Flaws Including NTLM Hash Disclosure Bug
Microsoft disclosed and patched three Windows spoofing vulnerabilities affecting the Windows Security App, Windows Storage, and NTLM authentication components. The issues were tracked as CVE-2025-47956, CVE-2025-49760, and CVE-2025-24054, with the last specifically described as an NTLM Hash Disclosure Spoofing Vulnerability, raising the risk of credential exposure through spoofing-related attack paths.
The advisories were published through Microsoft's Security Update Guide and indicate that multiple core Windows components required security fixes for spoofing weaknesses. For defenders, the disclosures highlight the need to prioritize Microsoft security updates, review systems that rely on NTLM authentication, and assess whether exposed Windows endpoints or storage-related workflows could be abused for impersonation, misleading trust signals, or credential theft.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes advisory for CVE-2025-49760
Microsoft published a Security Update Guide entry for CVE-2025-49760, described as a Windows Storage Spoofing Vulnerability. This reflects the public release of Microsoft's advisory for the flaw.
Microsoft publishes advisory for CVE-2025-47956
Microsoft published a Security Update Guide entry for CVE-2025-47956, identified as a Windows Security App Spoofing Vulnerability. The reference marks the public advisory date for this vulnerability.
Microsoft publishes advisory for CVE-2025-24054
Microsoft added CVE-2025-24054, an NTLM Hash Disclosure Spoofing Vulnerability, to its Security Update Guide. This indicates public disclosure and availability of Microsoft's advisory information for the issue.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2025-49760 - Security Update Guide - Microsoft - Windows Storage Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-47956 - Security Update Guide - Microsoft - Windows Security App Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-24054 - Security Update Guide - Microsoft - NTLM Hash Disclosure Spoofing Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Multiple Spoofing Flaws Exposing NTLM Hashes and Shell Links
Microsoft disclosed and patched several spoofing vulnerabilities across Windows and Exchange Server, including **NTLM hash disclosure** issues tracked as `CVE-2025-24996`, `CVE-2025-59185`, and `CVE-2025-59244`, a **Windows NTLM spoofing** flaw `CVE-2025-21217`, a **Windows Themes spoofing** bug `CVE-2025-21308`, a **Windows Shell Link Processing spoofing** issue `CVE-2026-25185`, and an older **Microsoft Exchange Server spoofing** vulnerability `CVE-2021-24085`. The advisories indicate a broad set of weaknesses that could let attackers disguise content or trigger credential exposure through trusted Windows components and enterprise messaging infrastructure. The concentration of flaws around NTLM and user-facing file handling highlights continued risk from spoofing paths that can mislead users or disclose authentication material. For defenders, the updates underscore the need to prioritize Microsoft security patches for systems handling Windows authentication, shell link processing, themes, and Exchange workloads, especially where NTLM remains enabled and could be leveraged for credential theft or follow-on intrusion.
May 25, 2026
Microsoft Discloses Multiple Windows Spoofing Vulnerabilities Across Core Components
Microsoft published security advisories for several **Windows spoofing vulnerabilities** affecting core platform components, including **Windows Shell Link Processing** (`CVE-2026-25185`), **Windows SMB Server** (`CVE-2025-48802`), **Windows NTLM** (`CVE-2025-21217`), **Virtual Secure Mode** (`CVE-2025-48813`), and **Windows Certificate** handling (`CVE-2022-21836`). The flaws span identity, file handling, network services, virtualization-backed security, and certificate trust mechanisms, indicating broad exposure across enterprise Windows environments. The advisories identify spoofing as the common impact, a class of weakness that can let attackers misrepresent files, systems, identities, or trust relationships to users and services. Organizations relying on Windows authentication, SMB-based file sharing, shortcut handling, certificate validation, and virtualization-based protections should review the affected CVEs and apply Microsoft security updates to reduce the risk of impersonation, deceptive content delivery, and trust bypass in managed environments.
May 25, 2026
Microsoft Patched Multiple Windows Information Disclosure Flaws Across Kernel and Storage Components
Microsoft published security updates for a broad set of **information disclosure vulnerabilities** affecting Windows components including the **Windows Kernel**, **Secure Kernel Mode**, **Storage Port Driver**, **Kerberos**, **File Explorer**, **Push Notification**, and **Storage Spaces** features. The referenced advisories identify numerous CVEs, including `CVE-2025-21319`, `CVE-2025-21323`, `CVE-2025-21242`, `CVE-2025-32722`, `CVE-2025-49684`, `CVE-2025-48808`, `CVE-2025-48809`, `CVE-2025-48810`, `CVE-2025-26636`, `CVE-2025-55683`, `CVE-2025-59184`, `CVE-2025-59209`, `CVE-2026-32217`, and `CVE-2026-32218`, along with earlier related issues such as `CVE-2024-49082` and `CVE-2022-21877`. The disclosures show a recurring pattern of sensitive data exposure risks in core Windows subsystems, with repeated findings in kernel and storage-related code paths. While the individual entries provide limited public detail, the breadth of affected components indicates that enterprises should prioritize Microsoft security updates for systems running Windows workloads that rely on low-level kernel, storage, authentication, and user-interface services, as these flaws could allow attackers to obtain information that may aid further compromise.
May 25, 2026