Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Back to Vulnerability List

Microsoft: Drop the MIC: Windows NTLM MIC Bypass

CVE-2019-1166 Medium Published
CVSS
5.9 Medium · Network · No PR
EPSS
0.12999 13.0% chance of exploit in 30d
CWE
CWE-354 Improper Validation of Integrity Check Value
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

Per NVD: “A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka ‘Windows NTLM Tampering Vulnerability’.”

Affected Packages / Versions

  • Package: Microsoft Windows (NTLM authentication subsystem)
  • Latest published version at triage time: Per NVD CPE list: many Windows versions
  • Affected range: Windows versions prior to the October 2019 cumulative update (per NVD CPE list and Microsoft KB)
  • Patched version: Microsoft October 2019 cumulative update (MSRC page is JS-rendered)

Impact

Per Praetorian’s blog: “During a recent internal network security assessment, using a low-privileged domain machine account, Praetorian leveraged this vulnerability to obtain Domain Administrator access, resulting in unfettered access to the target’s domain.” Praetorian’s blog walks through the exploitation path: low-priv foothold via NTLM relay → forced authentication from DC1 → relay to DC2 with --remove-micS4U2Proxy on DC1 → impersonate Domain Admin via getST.py.

Severity Rationale

NVD CVSS 5.9 (Medium): network AV, high complexity (MITM precondition), no privileges or UI, integrity-only impact per NVD’s vector. Praetorian’s blog frames the practical outcome as domain compromise via NTLM-relay chains.

Fix

Per Praetorian’s blog: “Praetorian recommends ensuring all systems are updated with the patches provided by Microsoft to address CVE-2019-1166, including updates that harden the NTLM MIC protection.” Defense in depth: enforce SMB signing, LDAP channel binding, and migrate from NTLM to Kerberos where possible.

Disclosure timeline

  • TBDReported to vendor
  • Oct 8, 2019Patch released (Microsoft October 2019 Patch Tuesday)
  • Oct 8, 2019Public disclosure

Fix Commit(s)

    References

    Discovered by Microsoft / external NTLM researchers; Praetorian published an exploitation walkthrough on internal assessments. · Published April 29, 2026