Windows SMB Server Elevation of Privilege via Improper Authentication
CVE-2026-24294 is an elevation-of-privilege vulnerability in Windows SMB Server caused by improper authentication in the core SMB component. The available context indicates the issue was identified as a bypass related to prior Windows authentication reflection research and abuses a newer Windows capability in Windows 11 24H2 and Windows Server 2025 that allows SMB shares to be mounted on arbitrary TCP ports. In the described attack path, an attacker first establishes a local attacker-controlled SMB server on a non-default TCP port and causes the Windows SMB client to connect to it, keeping the TCP connection open. The attacker then coerces a privileged local service such as LSASS to authenticate to the same SMB share path, causing the SMB client to reuse the existing TCP connection. The resulting privileged local NTLM authentication can then be relayed to the machine’s built-in SMB service, yielding a privileged SMB session on the same host. Microsoft patched the issue in March 2026 Patch Tuesday. The content states the attack worked by default on Windows Server 2025, while Windows 11 24H2 was not vulnerable by default because SMB signing is enforced there.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains a working exploit chain combining a modified Windows PetitPotam coercion client with a modified Impacket SMB server. The purpose is local NTLM reflection / privilege escalation on Windows Server 2025 by abusing SMB arbitrary-port connections plus SMB session multiplexing. The C++ project under PetitPotam/ is a Visual Studio solution that binds to the EFSRPC interface UUID df1941c5-fe89-4e79-bf10-463657acf44d over the named pipe \\pipe\\efsrpc using ncacn_np. It accepts three arguments: capture server, target server, and EFS API selector. It constructs a UNC path to \\<captureServer>\test\topotam.exe and invokes one of several EFSRPC methods (notably EfsRpcEncryptFileSrv in the README example) against the target. Success is inferred from expected RPC error codes such as ERROR_BAD_NETPATH or ERROR_ACCESS_DENIED, indicating the target attempted outbound access to the attacker-controlled UNC path. The generated files ms-efsrpc_c.c, ms-efsrpc_h.h, ms-dtyp.h, and ms-dtyp_h.h are MIDL-generated RPC client stubs and type definitions supporting the EFSRPC calls. They are not standalone exploit logic but provide the RPC interface implementation used by PetitPotam.cpp. The Python smbserver.py is a modified Impacket SMB server entry point. It adds a -relay-port option and hooks SMB2 SESSION_SETUP handling to capture a second NTLM authentication on an already-established multiplexed SMB connection, then forwards that authentication to a raw relay listener such as ntlmrelayx --raw-port. This turns the coerced authentication into a usable relay/reflection primitive. The README documents the full three-terminal workflow: start ntlmrelayx on raw port 6666 targeting smb://127.0.0.1, start smbserver.py on TCP 12345 with share name test and relay-port 6666, then mount \\127.0.0.1\test using /tcpport:12345 and run PetitPotam.exe 127.0.0.1 localhost 2. Expected outcome is command execution as NT AUTHORITY\SYSTEM. Overall, this is a real exploit repository, not merely detection code. It is operational rather than heavily weaponized: the coercion path/share is partly hardcoded, the workflow is manual, and it relies on external tooling (Impacket ntlmrelayx) for final command execution.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability arising from abuse of the new ability in Windows 11 24H2 and Windows Server 2025 to mount SMB shares on arbitrary TCP ports, enabling a demonstrated local privilege escalation attack path via localhost coercion.
A local privilege escalation vulnerability involving NTLM reflection via SMB arbitrary port connection reuse on recent Windows versions.
A local privilege escalation vulnerability on recent Windows versions that abuses SMB arbitrary-port connections and SMB connection reuse to relay local NTLM authentication back to the machine.
A local privilege escalation vulnerability on recent Windows systems that abuses SMB client support for arbitrary TCP ports and SMB connection multiplexing to perform local NTLM reflection and obtain a privileged SMB session.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.