Windows SMB Server Elevation of Privilege via NTLM Reflection Bypass
CVE-2026-24294 is an elevation-of-privilege vulnerability in Windows SMB Server caused by improper authentication. Available reporting indicates it is an NTLM reflection bypass that abuses a feature introduced in Windows 11 24H2 and Windows Server 2025 allowing SMB connections over arbitrary TCP ports. An attacker can start a local SMB server on a non-standard port, establish a client connection to it using the arbitrary-port SMB capability, and then coerce a privileged local service such as LSASS running as NT AUTHORITY\SYSTEM to access the same SMB path. Because the Windows SMB client reuses the existing TCP connection and SMB supports multiplexed authenticated sessions over one connection, the privileged NTLM authentication can be captured on the attacker-controlled local SMB listener and relayed back to the host's real SMB service. Successful relay yields a SYSTEM-authenticated SMB session on the same machine. Microsoft patched the issue in March 2026 Patch Tuesday. Reporting states the exploit works by default on Windows Server 2025, while Windows 11 24H2 is not vulnerable by default because SMB signing is enforced.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains a working exploit chain combining a modified Windows PetitPotam coercion client with a modified Impacket SMB server. The purpose is local NTLM reflection / privilege escalation on Windows Server 2025 by abusing SMB arbitrary-port connections plus SMB session multiplexing. The C++ project under PetitPotam/ is a Visual Studio solution that binds to the EFSRPC interface UUID df1941c5-fe89-4e79-bf10-463657acf44d over the named pipe \\pipe\\efsrpc using ncacn_np. It accepts three arguments: capture server, target server, and EFS API selector. It constructs a UNC path to \\<captureServer>\test\topotam.exe and invokes one of several EFSRPC methods (notably EfsRpcEncryptFileSrv in the README example) against the target. Success is inferred from expected RPC error codes such as ERROR_BAD_NETPATH or ERROR_ACCESS_DENIED, indicating the target attempted outbound access to the attacker-controlled UNC path. The generated files ms-efsrpc_c.c, ms-efsrpc_h.h, ms-dtyp.h, and ms-dtyp_h.h are MIDL-generated RPC client stubs and type definitions supporting the EFSRPC calls. They are not standalone exploit logic but provide the RPC interface implementation used by PetitPotam.cpp. The Python smbserver.py is a modified Impacket SMB server entry point. It adds a -relay-port option and hooks SMB2 SESSION_SETUP handling to capture a second NTLM authentication on an already-established multiplexed SMB connection, then forwards that authentication to a raw relay listener such as ntlmrelayx --raw-port. This turns the coerced authentication into a usable relay/reflection primitive. The README documents the full three-terminal workflow: start ntlmrelayx on raw port 6666 targeting smb://127.0.0.1, start smbserver.py on TCP 12345 with share name test and relay-port 6666, then mount \\127.0.0.1\test using /tcpport:12345 and run PetitPotam.exe 127.0.0.1 localhost 2. Expected outcome is command execution as NT AUTHORITY\SYSTEM. Overall, this is a real exploit repository, not merely detection code. It is operational rather than heavily weaponized: the coercion path/share is partly hardcoded, the workflow is manual, and it relies on external tooling (Impacket ntlmrelayx) for final command execution.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An NTLM reflection bypass vulnerability in Windows Server 2025 that can enable SYSTEM-level local compromise by abusing SMB over arbitrary TCP ports and relaying privileged local NTLM authentication.
A vulnerability arising from abuse of the new ability in Windows 11 24H2 and Windows Server 2025 to mount SMB shares on arbitrary TCP ports, enabling a demonstrated local privilege escalation attack path via localhost coercion.
A local privilege escalation vulnerability involving NTLM reflection via SMB arbitrary port connection reuse on recent Windows versions.
A local privilege escalation vulnerability on recent Windows versions that abuses SMB arbitrary-port connections and SMB connection reuse to relay local NTLM authentication back to the machine.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.