CVE-2025-66413
Published: 10 March 2026
Summary
CVE-2025-66413 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Gitforwindows Git. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Forced Authentication (T1187); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-20 (Use of External Systems).
Deeper analysis
CVE-2025-66413 affects Git for Windows, the Windows port of Git, in versions prior to 2.53.0(2). The vulnerability enables an attacker to obtain a user's NTLM hash by tricking them into cloning a repository from a malicious server. This issue stems from weaknesses classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-307 (Improper Restriction of Excessive Authentication Attempts), earning a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N).
A remote attacker with no privileges can exploit this vulnerability by luring a user to execute a git clone command against a server they control, requiring user interaction but no special access. Successful exploitation yields the victim's NTLM hash, which, due to the inherent weakness of NTLM hashing, allows the attacker to brute-force the corresponding Windows account username and password, potentially enabling further lateral movement or privilege escalation on the victim's network.
The Git for Windows security advisory (GHSA-hv9c-4jm9-jh3x) and release notes for version 2.53.0(2) confirm the vulnerability has been fixed in that release, recommending immediate upgrade to mitigate the risk. Practitioners should verify installations and apply the patch promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208534
Vulnerability details
Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the…
more
attacker to brute-force the user's account name and password. This vulnerability is fixed in 2.53.0(2).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables capture of NTLM hashes via forced client authentication to a malicious Git server during clone operations.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch (2.53.0(2)) that eliminates the NTLM-hash exposure during git clone.
Establishes authorization and connection restrictions for external systems, limiting a user’s ability to clone from an untrusted malicious server.
Enables continuous scanning to discover installations of Git for Windows prior to 2.53.0(2) that remain vulnerable to the described attack.