A working proof-of-concept (PoC) exploit has been released for a new NTLM reflection bypass flaw that enables SYSTEM-level access on Windows Server 2025, raising fresh concerns about the resilience of Microsoft’s authentication hardening.
The vulnerability, tracked as CVE-2026-24294, shows that even after the high‑profile CVE-2025-33073 NTLM reflection issue was patched, the underlying design weaknesses in Windows authentication were not fully resolved.
In 2025, CVE-2025-33073 reintroduced NTLM reflection as a powerful attack vector, allowing an attacker to coerce a Windows host into authenticating to an attacker‑controlled service and then relaying that authentication back to the same machine to gain SYSTEM privileges.
Microsoft’s fix focused on the SMB client, blocking connections where the target name contained additional marshaled target information. This technique had been abused to make remote authentication appear local.
PoC Released for NTLM Reflection Bypass Flaw
Researchers warned that this mitigation was narrow: if another way to obtain local NTLM or Kerberos authentication on a controlled server could be found, reflection attacks might reappear.
That prediction has now materialized. The new CVE-2026-24294 flaw abuses a feature introduced in Windows 11 24H2 and Windows Server 2025 that allows SMB connections over arbitrary TCP ports, rather than the traditional port 445.
This feature was meant to increase flexibility for SMB deployments. However, in practice it opened a new path for local NTLM reflection on servers where SMB signing is not enforced.
The attack works in two main stages. First, the attacker starts a local SMB server listening on a non-standard port, such as 12345, and mounts a share using a command like “net use \127.0.0.1\share /tcpport:12345”.
This forces the Windows SMB client to establish and maintain a TCP connection to the malicious local server.
Because SMB supports multiplexing, multiple authenticated sessions can reuse the same TCP connection, and Windows will prefer reusing an existing connection instead of creating a new one.
Forcing a privileged service such as LSASS to authenticate to the previously mounted share ( source : synacktiv )
In the second stage, the attacker coerces a privileged service such as LSASS, running as NT AUTHORITY\SYSTEM, to access the same share path, for example by using a modified PetitPotam‑style coercion primitive.
The SMB client then authenticates to the attacker’s local SMB server over the already-established connection, performing local NTLM authentication because the target effectively resolves to the same machine.
The attacker captures this privileged NTLM authentication and relays it back to the real SMB service on the host using a relay tool such as Impacket’s ntlmrelayx, resulting in a SYSTEM-authenticated SMB session and full local compromise.
Synacktiv researchers built a reliable PoC using Impacket’s smbserver.py and ntlmrelayx, a modified local PetitPotam binary, and Windows net.exe.
The exploit works by default on Windows Server 2025. However, it fails on Windows 11 24H2, where SMB signing is enforced, and relay attacks are blocked at the protocol integrity layer.
Microsoft assigned CVE-2026-24294 to the issue and shipped a fix in the March 2026 Patch Tuesday release, closing this specific reflection path.
The new PoC demonstrates that simply blocking one NTLM reflection technique is not enough; as long as NTLM remains widely used and SMB signing is optional, attackers can keep discovering fresh ways to coerce and relay privileged authentication.
For defenders, timely patching, strict SMB signing, reduced NTLM usage, and careful monitoring of unusual SMB traffic on non-standard ports are now critical to preventing similar SYSTEM-level compromise on Windows Server environments.
