PoC Released for New NTLM Vulnerability in Windows Server 2025 Allowing SYSTEM Privilege Escalation

Another serious security vulnerability in Microsoft operating systems has drawn the attention of cybersecurity professionals. A working Proof-of-Concept (PoC) exploit has been publicly released for the vulnerability registered under identifier CVE-2026-24294. When successfully exploited, this vulnerability allows an attacker to gain the highest privileges — NT AUTHORITY\SYSTEM — in Windows Server 2025 systems.

The new vulnerability demonstrates that NTLM Reflection attacks, which Microsoft previously considered mitigated, may re-emerge. This indicates that some fundamental issues in Windows authentication mechanisms have still not been fully resolved.

What Is an NTLM Reflection Attack?

NTLM (NT LAN Manager) is one of the authentication protocols used in Windows systems for many years. Although Microsoft has recently been recommending a transition to Kerberos and other modern authentication methods, NTLM is still actively used in many corporate infrastructures.

An NTLM Reflection attack is based on forcing the system to authenticate to itself, allowing the interception and reuse of authentication credentials from a user or system service. As a result, an attacker can gain high-level privileges.

Previous Vulnerability and New Bypass Method

The CVE-2025-33073 vulnerability, discovered in 2025, once again made NTLM Reflection attacks a relevant threat. At that time, Microsoft introduced a protection mechanism at the SMB client level that blocks specially crafted authentication requests.

However, experts noted that this protection only eliminates one exploitation method, while the underlying issue in the authentication architecture remains.

Soon after, this assumption was confirmed — researchers managed to discover a new method to bypass the protection mechanism.

How Does the Vulnerability Work?

The new attack method leverages a capability introduced in Windows 11 24H2 and Windows Server 2025. SMB connections can now be established not only through the traditional port 445 but also through arbitrary TCP ports.

Originally, this capability was designed for more flexible use of SMB services. However, in practice, it has created a convenient opportunity for a new attack scenario.

The attack is carried out in several stages.

First, the attacker launches a malicious SMB server on their own device on a non-standard TCP port (for example, port 12345) and forces the Windows system to connect to this server. The Windows SMB client establishes a TCP session with this server and keeps it active.

In the next stage, the attacker uses specialized methods to force a service running with SYSTEM privileges (such as LSASS — Local Security Authority Subsystem Service) to access this SMB resource.

Windows, reusing the existing TCP connection, performs NTLM authentication on behalf of SYSTEM.

At this point, the attacker intercepts the authentication credentials and, by relaying them to a legitimate SMB service, successfully authenticates as NT AUTHORITY\SYSTEM. As a result, full control over the server is established.

What Tools Were Used to Create the PoC?

Researchers from Synacktiv developed a PoC sample that successfully exploits this vulnerability.

The exploit uses the following tools:

  • Impacket smbserver.py — to launch a local SMB server;
  • Impacket ntlmrelayx — to relay intercepted NTLM authentication;
  • a modified version of PetitPotam — to force SYSTEM services to authenticate;
  • Windows net.exe — to establish SMB connections.

When used together, these tools make it possible to obtain SYSTEM-level privileges on Windows Server 2025 systems.

Which Systems Are at Risk?

According to the researchers’ testing results:

  • Windows Server 2025 in its default configuration is vulnerable to this attack;
  • Windows 11 24H2 is not vulnerable by default.

This is because Windows 11 24H2 has SMB Signing enforced, which blocks relay attacks at the protocol level.

If SMB Signing is not enforced in a Windows Server environment, the likelihood of exploitation increases significantly.

What Measures Did Microsoft Take?

Microsoft registered the vulnerability under identifier CVE-2026-24294 and released a corresponding fix as part of the March 2026 Patch Tuesday security updates.

This update addresses this specific NTLM Reflection scenario.

However, according to experts, this does not mean that all NTLM-related issues have been fully resolved. As long as NTLM continues to be used in corporate networks and SMB Signing is not enforced in all environments, the likelihood of new similar exploitation methods emerging remains.

Recommendations for Organizations

Cybersecurity experts recommend taking the following measures:

  • immediately install the latest security updates released by Microsoft on Windows Server systems;
  • enforce SMB Signing on all servers;
  • where possible, phase out NTLM authentication in favor of more modern mechanisms such as Kerberos;
  • continuously monitor SMB traffic over non-standard TCP ports;
  • track unusual SMB connections and authentication attempts on servers;
  • use EDR and SIEM solutions to detect unusual SMB activity from LSASS and other privileged services;
  • strictly implement network segmentation and the principle of least privilege.

Conclusion

The CVE-2026-24294 vulnerability has once again demonstrated that eliminating one exploitation method in authentication mechanisms does not mean the problem is fully resolved. As long as the NTLM protocol continues to be used in many corporate infrastructures, attackers will continue to search for new ways to exploit it.

The public release of the PoC exploit makes this threat even more pressing. Therefore, it is critically important for organizations to install Microsoft’s security updates as quickly as possible, enforce SMB Signing, and develop a strategy for gradually phasing out NTLM. Otherwise, such vulnerabilities can lead to the complete compromise of corporate infrastructure and the transfer of highest-level system privileges to attackers.