cbcvebase.
CVE-2019-1166
published 2019-10-10

CVE-2019-1166: A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check)…

PriorityP347medium5.9CVSS 3.1
AVNACHPRNUINSUCNIHAN
EPSS
61.68%
99.1th percentile
A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka 'Windows NTLM Tampering Vulnerability'.

Affected

66 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10

Detection & IOCsextracted from sources · hover to see the quote

  • Detect NTLM authentication exchanges where the MIC (Message Integrity Check) field has been tampered with — specifically, monitor for NTLM AUTHENTICATE messages where the MIC is zeroed out or modified while the MIC flag in NegotiateFlags remains set, which is the mechanism used to bypass MIC protection.
  • Monitor for man-in-the-middle conditions on the network where NTLM exchanges are being intercepted and relayed, particularly targeting the MIC bypass to downgrade NTLM security features.
  • ·The vulnerability is server-side; the fix hardens NTLM MIC protection on the server. Unpatched servers remain vulnerable to NTLM relay/downgrade attacks even if clients are patched.
  • ·Exploitation allows an attacker to downgrade NTLM security features, which can facilitate further attacks such as NTLM relay. Ensure NTLM signing and EPA (Extended Protection for Authentication) are enforced where possible.

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_msrc5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.