Vulnerability

PoC Published for CVE-2026-24294: NTLM Reflection Bypass Grants SYSTEM Access on Windows Server 2025

dark6 1 July 2026
Read Time:3 Minute, 27 Second

Security researchers at Synacktiv have published a working proof-of-concept (PoC) exploit for a new NTLM reflection bypass vulnerability, tracked as CVE-2026-24294, that enables SYSTEM-level privilege escalation on Windows Server 2025. The release demonstrates that Microsoft’s previous mitigations against NTLM reflection attacks were insufficient and that the fundamental design of Windows authentication remains susceptible to creative abuse.

Background: The Return of NTLM Reflection

NTLM reflection attacks have plagued Windows environments for years. The core technique involves coercing a Windows host into authenticating to an attacker-controlled service, then relaying that authentication back to the same machine to gain elevated privileges. In 2025, CVE-2025-33073 reintroduced NTLM reflection as a powerful attack vector, prompting Microsoft to patch the SMB client by blocking connections where the target name contained additional marshaled target information that had been abused to make remote authentication appear local.

However, researchers warned at the time that this mitigation was narrow: if another way to obtain local NTLM authentication on a controlled server could be found, reflection attacks might reappear. That prediction has now been confirmed.

How CVE-2026-24294 Works

The new flaw abuses a legitimate feature introduced in Windows 11 24H2 and Windows Server 2025 that allows SMB connections over arbitrary TCP ports, rather than requiring the traditional port 445. While this feature was designed to increase deployment flexibility, it inadvertently opened a new path for local NTLM reflection on servers where SMB signing is not enforced.

The attack unfolds in two stages:

  • Stage 1: The attacker starts a local SMB server listening on a non-standard port (e.g., port 12345) and mounts a share using net use \127.0.0.1\share /tcpport:12345. This forces the Windows SMB client to establish and maintain a TCP connection to the attacker-controlled local server. Because SMB supports connection multiplexing, Windows will prefer to reuse an existing connection rather than creating a new one.
  • Stage 2: The attacker coerces a privileged service — such as LSASS, running as NT AUTHORITY\SYSTEM — to access the same share path via a PetitPotam-style coercion primitive. The SMB client authenticates to the attacker’s local server over the already-established connection, performing local NTLM authentication because the target resolves to the same machine. The attacker captures this privileged authentication and relays it back to the real SMB service using a tool such as Impacket’s ntlmrelayx, resulting in a SYSTEM-authenticated session.

Reliable PoC on Windows Server 2025

Synacktiv built a reliable PoC using Impacket’s smbserver.py and ntlmrelayx, a modified local PetitPotam binary, and Windows net.exe. The exploit works by default on Windows Server 2025. It fails on Windows 11 24H2 where SMB signing is enforced, since relay attacks are blocked at the protocol integrity layer. This distinction highlights the critical importance of enforcing SMB signing across all Windows environments.

Microsoft assigned CVE-2026-24294 to the issue and shipped a fix in the March 2026 Patch Tuesday release, closing this specific reflection path. However, the public release of a working PoC significantly raises the risk for organizations that have not yet applied the patch.

Defensive Measures

The disclosure reinforces that simply blocking one NTLM reflection technique is insufficient: as long as NTLM remains in widespread use and SMB signing is optional, attackers will continue discovering new reflection and relay paths. Organizations should take the following steps:

  • Apply the March 2026 Patch Tuesday update (KB for CVE-2026-24294) on all Windows Server 2025 systems immediately
  • Enforce SMB signing on all Windows endpoints and servers — this alone would have prevented this attack
  • Monitor for unusual SMB traffic on non-standard TCP ports (anything other than 445)
  • Consider disabling NTLM authentication in favor of Kerberos where possible
  • Alert on unexpected LSASS or other privileged service connections to local or loopback SMB shares
  • Review use of the SMB-over-custom-port feature and restrict it where not operationally required

The pattern of repeated NTLM reflection vulnerabilities underscores a deeper architectural problem. Until Microsoft completes its transition away from NTLM and enforces SMB signing universally, Windows Server environments will remain at risk from creative variations of this attack class.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su PoC Published for CVE-2026-24294: NTLM Reflection Bypass Grants SYSTEM Access on Windows Server 2025, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community