PoC Released for NTLM Reflection Bypass Flaw Enabling SYSTEM Access on Windows Server
A proof-of-concept exploit for CVE-2026-24294 demonstrates a new NTLM reflection bypass flaw affecting Windows Server 2025 and Windows 11 24H2, allowing SYSTEM-level access.
A working proof-of-concept (PoC) exploit has been released for a new NTLM reflection bypass flaw that enables SYSTEM-level access on Windows Server 2025, raising fresh concerns about the resilience of Microsoft’s authentication hardening. The vulnerability, tracked as CVE-2026-24294, demonstrates that even after the high-profile CVE-2025-33073 NTLM reflection issue was patched, the underlying design weaknesses in Windows authentication were not fully resolved.
In 2025, CVE-2025-33073 reintroduced NTLM reflection as a powerful attack vector, allowing an attacker to coerce a Windows host into authenticating to an attacker-controlled service and then relaying that authentication back to the same machine to gain SYSTEM privileges. Microsoft’s initial fix focused on the SMB client, blocking connections where the target name contained additional marshaled target information, a technique abused to make remote authentication appear local.
Researchers had warned that this mitigation was narrow, predicting that if another method to obtain local NTLM or Kerberos authentication on a controlled server could be found, reflection attacks might reappear. This prediction has now materialized with CVE-2026-24294. The new flaw abuses a feature introduced in Windows 11 24H2 and Windows Server 2025 that permits SMB connections over arbitrary TCP ports, deviating from the traditional port 445.
This feature, intended to enhance flexibility for SMB deployments, inadvertently opened a new pathway for local NTLM reflection on servers where SMB signing is not enforced. The attack unfolds in two primary stages. Initially, the attacker establishes a local SMB server listening on a non-standard port, such as 12345, and mounts a share using a command like net use \\127.0.0.1\share /tcpport:12345. This action compels the Windows SMB client to establish and maintain a TCP connection to the malicious local server.
Because SMB supports multiplexing, multiple authenticated sessions can reuse the same TCP connection. Windows prioritizes reusing an existing connection over establishing a new one. In the second stage, the attacker coerces a privileged service, such as LSASS (Local Security Authority Subsystem Service), running as NT AUTHORITY\SYSTEM, to access the same share path. This is often achieved using a modified PetitPotam-style coercion primitive.
The SMB client then authenticates to the attacker’s local SMB server over the pre-established connection. This results in local NTLM authentication because the target effectively resolves to the same machine. The attacker captures this privileged NTLM authentication and relays it back to the legitimate SMB service on the host using a relay tool like Impacket’s ntlmrelayx, ultimately achieving a SYSTEM-authenticated SMB session and full local compromise.
Synacktiv researchers developed a reliable PoC utilizing Impacket’s smbserver.py and ntlmrelayx, a modified local PetitPotam binary, and Windows’ net.exe. The exploit functions by default on Windows Server 2025. However, it fails on Windows 11 24H2 where SMB signing is enforced, blocking relay attacks at the protocol integrity layer. Microsoft has assigned CVE-2026-24294 to this issue and released a fix in the March 2026 Patch Tuesday update, closing this specific reflection vector.
The existence of this new PoC underscores that merely blocking one NTLM reflection technique is insufficient. As long as NTLM remains prevalent and SMB signing is optional, attackers will continue to discover novel methods to coerce and relay privileged authentication. For defenders, prompt patching, strict enforcement of SMB signing, reduced NTLM usage, and vigilant monitoring of unusual SMB traffic on non-standard ports are now critical measures to prevent similar SYSTEM-level compromises in Windows Server environments.