PoC Released for NTLM Reflection Bypass Flaw That Enables SYSTEM Access on Windows Server

A public proof-of-concept exploit has been released for CVE-2026-24294, a Windows SMB Server vulnerability that can let a low-privileged local attacker gain SYSTEM access on Windows Server 2025.

The flaw is not a classic remote code execution bug. It is a local elevation-of-privilege issue that abuses NTLM reflection, SMB connection reuse, and a newer SMB feature that allows connections over alternative TCP ports.

The technique was detailed by Synacktiv, which said the issue works by default on Windows Server 2025 but does not work on Windows 11 24H2 because SMB signing is enforced there.

What CVE-2026-24294 allows

CVE-2026-24294 affects Windows SMB Server and can allow an authorized attacker to elevate privileges locally. The attacker’s goal is to make a privileged Windows service authenticate to an attacker-controlled local SMB service, then relay that authentication back to the real SMB service.

The public CVE-2026-24294 PoC describes the attack as local NTLM reflection using an SMB client feature in Windows 11 24H2 and Windows Server 2025 that supports connections to arbitrary TCP ports.

Once the relay succeeds, the attacker can obtain an SMB session authenticated as NT AUTHORITY\SYSTEM. That gives the attacker high-level control on the affected machine.

Item	Details
CVE	CVE-2026-24294
Component	Windows SMB Server
Vulnerability type	Elevation of privilege
Impact	Local SYSTEM access
CVSS	7.8 High
Patch status	Fixed in March 2026 Patch Tuesday

Microsoft rates the flaw as high severity

The NVD entry says improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally. Microsoft contributed a CVSS 3.1 score of 7.8.

The CVSS vector lists local attack access, low privileges, no user interaction, and high impact to confidentiality, integrity, and availability. That combination makes the bug serious even though it is not remotely exploitable from the internet by itself.

Rapid7’s March 2026 Patch Tuesday summary listed CVE-2026-24294 as a Windows SMB Server elevation-of-privilege vulnerability with exploitation rated “more likely.”

Why this is tied to NTLM reflection

NTLM reflection attacks work by tricking a Windows system into authenticating to a service controlled by the attacker, then relaying that authentication back to the same machine or another target.

Microsoft patched the earlier CVE-2025-33073 issue, but Synacktiv said the fix focused on one reflection route rather than eliminating the underlying risk of relaying local authentication.

In the new path, researchers abused the ability to connect to SMB shares on non-standard TCP ports. Microsoft’s alternative SMB ports documentation says the SMB client can connect to alternative TCP, QUIC, and RDMA ports when the server supports them.

• The attacker starts a local SMB service on a non-standard port.
• The attacker mounts a share through the SMB client using that port.
• A privileged service is coerced into authenticating to the same share path.
• The SMB client reuses the existing connection.
• The privileged NTLM authentication is relayed back to the real SMB service.

The PoC uses known offensive security tools

The attack described by Synacktiv used modified Impacket components, Windows net.exe, and a local coercion technique based on PetitPotam-style behavior. The public PoC packages that logic for researchers and defenders who want to reproduce the issue in a lab.

The GitHub proof of concept says the technique combines arbitrary SMB TCP ports with SMB session multiplexing. The goal is to coerce LSASS to authenticate to an attacker-controlled SMB server on a non-standard local port.

Defenders should treat the PoC as a sign that exploitation knowledge is now easier to obtain. Organizations should focus on patching, SMB signing, NTLM reduction, and monitoring rather than assuming the bug will remain theoretical.

Attack element	Role in the exploit chain
Alternative SMB port	Lets the attacker run a local SMB listener outside port 445
SMB connection reuse	Helps the privileged authentication reuse the already mounted share path
LSASS coercion	Forces a privileged Windows service to authenticate
NTLM relay	Relays the privileged authentication to the local SMB service
Missing SMB signing enforcement	Allows the relay to succeed on affected server configurations

Windows Server 2025 is the main concern

Synacktiv said the attack worked by default on Windows Server 2025. The same research said it did not work on Windows 11 24H2 because SMB signing blocks the relay path.

Microsoft’s SMB signing documentation says Windows 11 24H2 Enterprise, Pro, and Education require inbound and outbound SMB signing by default, while Windows Server 2025 requires outbound SMB signing by default.

That difference matters because relay attacks fail when signing enforces message integrity on the relevant SMB session. Servers that do not enforce the right signing behavior remain more exposed to NTLM relay and reflection paths.

What Microsoft changed in March

Microsoft fixed CVE-2026-24294 in the March 2026 security updates. Administrators who have not applied those updates should treat Windows Server 2025 systems as priority patching targets, especially where local users, shared administration servers, or developer access exist.

The CVE record lists the weakness as CWE-287, improper authentication. That classification matches the attack pattern because Windows accepts or relays authentication in a way that lets a low-privileged actor reach a higher-privileged context.

Rapid7’s Patch Tuesday review also flagged CVE-2026-24294 as not publicly disclosed at Microsoft’s release time, but with exploitation rated more likely.

Why SMB signing is a key defense

SMB signing adds integrity protection to SMB traffic. It helps stop tampering and relay attacks because each signed packet can be validated by the receiver.

Microsoft’s SMB signing guide recommends using Kerberos instead of NTLMv2, avoiding IP-address share connections, and avoiding CNAME DNS records for SMB paths.

Organizations should not rely only on the March patch. Enforcing SMB signing across servers and clients reduces the chance that a future NTLM relay variant can abuse a different Windows authentication path.

• Apply the March 2026 Windows security updates.
• Enforce SMB signing where business systems allow it.
• Audit systems that still allow unsigned SMB sessions.
• Restrict local logon and low-privileged access on servers.
• Monitor SMB traffic to non-standard ports.
• Reduce NTLM usage and move workloads toward Kerberos.

Alternative SMB ports need monitoring

The alternative-port feature has legitimate uses. It lets administrators configure SMB over ports other than the traditional defaults for TCP, QUIC, and RDMA.

However, the same flexibility creates a detection point. Unexpected SMB activity on high or non-standard local ports should trigger review, especially if it appears on Windows Server 2025 systems where users should not run local SMB listeners.

Microsoft’s SMB ports guidance also says organizations can block configuring alternative ports or limit alternative-port connections to specific servers.

Signal	Why it matters
SMB on non-standard local ports	May indicate an attempt to abuse alternative SMB port support
Unexpected net use activity	Can reveal suspicious share mounting behavior
LSASS network authentication to local shares	May indicate authentication coercion
Unsigned SMB sessions	Increase relay and reflection risk
New local SMB listeners	Can expose attacker-controlled relay infrastructure on the host

NTLM remains the larger problem

CVE-2026-24294 shows why NTLM remains difficult to secure. Individual reflection paths can be patched, but attackers keep looking for new ways to coerce and relay authentication.

Microsoft has already started a broader transition away from NTLM. The company’s NTLM deprecation plan says Windows is moving toward an NTLM-independent future through enhanced auditing, Kerberos improvements, and future default blocking.

That direction matters because NTLM does not provide the same server identity guarantees as Kerberos. As long as NTLM remains broadly available, attackers will continue to test relay and reflection bypasses.

How administrators should reduce exposure

Administrators should first confirm that March 2026 security updates were applied to Windows Server 2025 systems. They should then review SMB signing requirements, local user permissions, and NTLM usage across the environment.

Microsoft’s NTLM auditing enhancements for Windows 11 24H2 and Windows Server 2025 help administrators identify who is using NTLM, why NTLM was chosen, and where the authentication occurred.

That visibility is important for migration. Security teams cannot safely disable or restrict NTLM until they know which applications, services, and legacy workflows still depend on it.

Priority	Recommended action
Immediate	Install the March 2026 Windows security update on affected servers
Immediate	Confirm SMB signing requirements on Windows Server 2025
High	Audit SMB access over alternative TCP ports
High	Restrict low-privileged local access to sensitive servers
Ongoing	Use NTLM auditing to identify legacy dependencies
Ongoing	Move services toward Kerberos where possible

Detection ideas for security teams

Defenders should monitor for unusual SMB client behavior on Windows Server 2025, including connections to loopback or local IP addresses on non-standard ports. They should also watch for relay-tool behavior in lab-like or production environments.

Event monitoring should focus on NTLM use, local SMB authentication, suspicious share mounts, unexpected use of net.exe, and privileged service authentication to unusual paths.

Microsoft’s enhanced NTLM audit logs can help defenders answer who used NTLM, why it was used, and where it occurred. Those details can help separate legacy behavior from suspicious authentication flows.

• Alert on SMB connections to loopback addresses over non-standard ports.
• Review net use commands that specify unusual SMB connection parameters.
• Investigate LSASS authentication to unexpected local shares.
• Monitor for unsigned SMB sessions where signing should be required.
• Track NTLM authentication events from servers that should use Kerberos.
• Block or restrict alternative SMB port configuration where it is not needed.

The broader lesson for Windows authentication

The public PoC does not mean every Windows Server 2025 system is remotely exposed. The attacker needs local low-privileged access, and patched systems should no longer be vulnerable to this specific path.

Still, the research matters because it shows how new platform features can interact with older authentication weaknesses. In this case, alternative SMB ports and NTLM reflection created a privilege-escalation route that survived earlier reflection mitigations.

Microsoft’s Windows security roadmap makes the long-term answer clear: organizations need to audit NTLM now, remove unnecessary dependencies, and prepare for stronger Kerberos-based defaults.

Bottom line

CVE-2026-24294 is a serious Windows Server 2025 privilege-escalation flaw, especially now that exploit code is public. It can turn low-privileged local access into SYSTEM access when the vulnerable SMB and NTLM reflection conditions line up.

The practical response is straightforward. Patch Windows Server systems, enforce SMB signing, monitor SMB on non-standard ports, and reduce NTLM wherever possible.

Organizations should also treat this as a warning about authentication hardening. Blocking one reflection path helps, but eliminating NTLM reliance and enforcing message integrity give defenders a stronger long-term position.

FAQ