PetitPotam / Windows LSA Spoofing Vulnerability
CVE-2021-36942 is the Windows Local Security Authority (LSA) spoofing vulnerability commonly referred to as PetitPotam. It is associated with abuse of the MS-EFSRPC interface, especially functions such as EfsRpcOpenFileRaw, to coerce a Windows host, including domain controllers, into authenticating to an attacker-controlled system. The provided content indicates that PetitPotam forces outbound authentication by supplying attacker-controlled UNC paths through EFSRPC methods. Microsoft’s KB5005033 update blocked some unauthenticated PetitPotam paths, specifically unauthenticated EFSRPC calls exposed via \pipe\lsarpc, but the content states that authenticated coercion via EFSRPC, including access through \pipe\efsrpc, continued to work in some environments. The issue is widely used as an authentication-coercion primitive rather than a standalone end goal and is commonly chained with NTLM relay, particularly against AD CS enrollment endpoints.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains a working exploit chain combining a modified Windows PetitPotam coercion client with a modified Impacket SMB server. The purpose is local NTLM reflection / privilege escalation on Windows Server 2025 by abusing SMB arbitrary-port connections plus SMB session multiplexing. The C++ project under PetitPotam/ is a Visual Studio solution that binds to the EFSRPC interface UUID df1941c5-fe89-4e79-bf10-463657acf44d over the named pipe \\pipe\\efsrpc using ncacn_np. It accepts three arguments: capture server, target server, and EFS API selector. It constructs a UNC path to \\<captureServer>\test\topotam.exe and invokes one of several EFSRPC methods (notably EfsRpcEncryptFileSrv in the README example) against the target. Success is inferred from expected RPC error codes such as ERROR_BAD_NETPATH or ERROR_ACCESS_DENIED, indicating the target attempted outbound access to the attacker-controlled UNC path. The generated files ms-efsrpc_c.c, ms-efsrpc_h.h, ms-dtyp.h, and ms-dtyp_h.h are MIDL-generated RPC client stubs and type definitions supporting the EFSRPC calls. They are not standalone exploit logic but provide the RPC interface implementation used by PetitPotam.cpp. The Python smbserver.py is a modified Impacket SMB server entry point. It adds a -relay-port option and hooks SMB2 SESSION_SETUP handling to capture a second NTLM authentication on an already-established multiplexed SMB connection, then forwards that authentication to a raw relay listener such as ntlmrelayx --raw-port. This turns the coerced authentication into a usable relay/reflection primitive. The README documents the full three-terminal workflow: start ntlmrelayx on raw port 6666 targeting smb://127.0.0.1, start smbserver.py on TCP 12345 with share name test and relay-port 6666, then mount \\127.0.0.1\test using /tcpport:12345 and run PetitPotam.exe 127.0.0.1 localhost 2. Expected outcome is command execution as NT AUTHORITY\SYSTEM. Overall, this is a real exploit repository, not merely detection code. It is operational rather than heavily weaponized: the coercion path/share is partly hardcoded, the workflow is manual, and it relies on external tooling (Impacket ntlmrelayx) for final command execution.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The PetitPotam-related Windows LSA spoofing issue involving MS-EFSRPC coercion that can force NTLM authentication from a target, especially domain controllers, and has partial mitigations but remains usable in authenticated scenarios per the content.
Windows LSA Spoofing vulnerability associated here with PetitPotam/EFSRPC coercion behavior. The content says patches such as KB5005033 mitigated unauthenticated EFSRPC calls via LSARPC, though authenticated variants may still work in some environments.
PetitPotam, tracked as CVE-2021-36942 in the content, is described as a vulnerability whose exploitation can enable attackers to leverage a compromised certificate to request Kerberos tickets, potentially leading to unauthorized access, privilege escalation, and persistence.
A forced-authentication vulnerability/attack technique referred to as PetitPotam that can coerce authentication from domain controllers, potentially enabling unauthorized access, privilege escalation, or lateral movement.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.