Cyber Resilience

CVE-2025-66413

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
EPSS Score 0.0006 18.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66413 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Gitforwindows Git. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Forced Authentication (T1187); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-20 (Use of External Systems).

Deeper analysis

CVE-2025-66413 affects Git for Windows, the Windows port of Git, in versions prior to 2.53.0(2). The vulnerability enables an attacker to obtain a user's NTLM hash by tricking them into cloning a repository from a malicious server. This issue stems from weaknesses classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-307 (Improper Restriction of Excessive Authentication Attempts), earning a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N).

A remote attacker with no privileges can exploit this vulnerability by luring a user to execute a git clone command against a server they control, requiring user interaction but no special access. Successful exploitation yields the victim's NTLM hash, which, due to the inherent weakness of NTLM hashing, allows the attacker to brute-force the corresponding Windows account username and password, potentially enabling further lateral movement or privilege escalation on the victim's network.

The Git for Windows security advisory (GHSA-hv9c-4jm9-jh3x) and release notes for version 2.53.0(2) confirm the vulnerability has been fixed in that release, recommending immediate upgrade to mitigate the risk. Practitioners should verify installations and apply the patch promptly.

EU & UK References

Vulnerability details

Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the…

more

attacker to brute-force the user's account name and password. This vulnerability is fixed in 2.53.0(2).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1187 Forced Authentication Credential Access
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
Why these techniques?

Vulnerability directly enables capture of NTLM hashes via forced client authentication to a malicious Git server during clone operations.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32631Shared CWE-200
CVE-2026-42826Shared CWE-200
CVE-2024-13796Shared CWE-200
CVE-2025-27784Shared CWE-200
CVE-2025-26001Shared CWE-200
CVE-2025-24232Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2026-6346Shared CWE-200
CVE-2024-51476Shared CWE-307

Affected Assets

gitforwindows
git
≤ 2.53.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (2.53.0(2)) that eliminates the NTLM-hash exposure during git clone.

prevent

Establishes authorization and connection restrictions for external systems, limiting a user’s ability to clone from an untrusted malicious server.

detect

Enables continuous scanning to discover installations of Git for Windows prior to 2.53.0(2) that remain vulnerable to the described attack.

References