July 7, 2026
Unmasking CVE-2026–26128: The New Windows SMB & NTLM Reflection Bypass Weapon
The cybersecurity landscape has just shifted with the public release of a highly stable Proof-of-Concept (PoC) exploit for CVE-2026–26128…

By Synthex
1 min read
The cybersecurity landscape has just shifted with the public release of a highly stable Proof-of-Concept (PoC) exploit for CVE-2026–26128. If your organization runs modern Windows environments — especially Windows Server 2025 or updated Windows 11 instances — this is a critical threat that demands immediate attention.
Historically, local NTLM reflection attacks were considered a solved problem. Microsoft implemented robust defensive layers like Channel Binding Tokens (CBT) and Extended Protection for Authentication (EPA) to ensure that local authentication challenges couldn't be looped back to trick the OS. Unfortunately, CVE-2026–26128 completely bypasses these security boundaries without requiring any user interaction.
How the Flaw Bypasses OS Defenses
The core of this vulnerability lies in a newly introduced Windows capability: the ability for the native SMB client to establish outbound connections over alternative, non-standard TCP ports instead of forcing all traffic through port 445.
By forcing the SMB transport channel over a multiplexed high port (e.g., TCP 12345), an attacker can spin up a local rogue SMB listener. Using classic coercion primitives like PetitPotam or MS-RPRN, the exploit tricks a highly privileged internal service into connecting to this custom loopback interface. Because the SMB server fails to re-verify the cryptographic boundaries of the CBT over these alternative multiplexed channels, the privileged authentication token is cleanly reflected back to the legitimate server, dropping a deterministic shell with full NT AUTHORITY\SYSTEM privileges.
Are Your Systems Exposed?
This flaw acts as a massive force multiplier for ransomware groups and APT actors during lateral movement phases. Default configurations of Windows Server 2025 are completely vulnerable out of the box, while Windows Server 2022/2019 and Windows 11 (24H2) remain highly susceptible depending on active services like IIS or MSSQL.
Immediate short-term mitigation requires enforcing strict SMB Signing to "Always Require" on both client and server sides.
To dive deep into the full step-by-step exploit mechanics, analyze the structural logical flaws in the Windows kernel, and view the complete step-by-step debugger and terminal logs, read my comprehensive technical analysis on my blog.