NTLM Reflection Bypass Proof-of-Concept Enables SYSTEM Access on Windows Server

nick

NTLM Reflection Bypass Proof-of-Concept Enables SYSTEM Access on Windows Server

by

CVE: CVE-2026-XXXXX (reservation expected) | Vendor: Microsoft | Product: Windows Server (all supported versions), Windows 11

What Is the Vulnerability

A proof-of-concept has been released demonstrating a bypass of Microsoft’s long-standing NTLM reflection attack mitigations, enabling an attacker to escalate privileges to SYSTEM on Windows Server and Windows 11 machines. NTLM reflection attacks exploit the design of the NT LAN Manager authentication protocol: an attacker intercepts an NTLM authentication challenge sent to a victim machine and reflects it back to the same machine, tricking it into authenticating to itself. In a successful attack, the reflected authentication grants SYSTEM-level access to local resources and services.

Microsoft originally patched this class of attack in 2015 by introducing Channel Binding Token (CBT) and Extended Protection for Authentication (EPA) requirements. However, the newly released PoC demonstrates that under specific conditions — notably when certain legacy services are enabled or when SMB signing is not enforced — the reflection protection can be bypassed entirely. The attack chains a forced authentication trigger (via MS-RPRN or a coerced WebClient connection) with the reflection bypass to achieve privilege escalation from a low-privileged service account or domain user to SYSTEM.

Versions Affected

  • Windows Server 2025, 2022, and 2019 — fully vulnerable in default configurations where SMB signing is not enforced
  • Windows 11 (all editions, 22H2 and later) — vulnerable when certain services (IIS, MSSQL, or WebClient) are running
  • Domain-joined machines with NTLM authentication permitted are at highest risk
  • Machines using Kerberos exclusively are not affected; the attack requires NTLM to be an available fallback

Exploited?

The proof-of-concept code has been publicly released on GitHub, but there is no confirmed evidence of active exploitation in the wild as of June 30, 2026. Security researchers and red teams are actively testing and weaponizing the technique, and history suggests that threat actors are quick to operationalize publicly available privilege escalation PoCs — particularly those targeting Windows Server infrastructure. The attack’s low complexity and reliance on standard Windows features (no custom malware required) make it an attractive addition to post-exploitation toolkits like Cobalt Strike and Sliver.

Fix

Microsoft has acknowledged the PoC and is tracking the issue. Pending an official security patch, organizations can neutralize this attack vector through configuration hardening:

  • Disable NTLM entirely where feasible. Use Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > “Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers” set to “Deny all”
  • Enforce SMB signing. Ensure both client-side and server-side SMB signing policies are set to “always” via Group Policy
  • Enable Extended Protection for Authentication (EPA) for IIS, Exchange, and any application hosting NTLM-authenticated services
  • Apply the latest Windows security updates. Microsoft has historically included NTLM hardening in cumulative updates, and a targeted fix is expected

Recommendations

  • Audit your environment for NTLM usage — enable NTLM auditing in Group Policy and review operational logs for service accounts still relying on NTLM
  • Move to Kerberos authentication wherever possible to eliminate the NTLM reflection attack surface
  • Enforce SMB signing across the domain to block SMB-based reflection triggers
  • Disable the Print Spooler service on domain controllers and non-print servers to block the MS-RPRN coercion primitive
  • Monitor for event ID 8004 (NTLM authentication blocked) and event ID 4625 (failed logon) with logon type 3 originating from the same machine
  • Prioritize patching as soon as Microsoft releases an official fix

References

  • GitHub — NTLM Reflection Bypass PoC repository
  • CybersecurityNews — Initial report on PoC release
  • Microsoft Security Response Center — Advisory (pending)
  • MITRE ATT&CK T1557 (Man-in-the-Middle) — NTLM Relay sub-technique

Part of the Vulnerability Intelligence series. See the June 30, 2026 VIR.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!