CVE-2023-21746

HIGH EXPLOITED

Windows NTLM - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-21746 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Muhammad-Ali007, TailoredSecOps, velikrgl.

AI-analyzed exploit summary This repository contains a Local Privilege Escalation (LPE) exploit for CVE-2023-21746, combining NTLM authentication manipulation (LocalPotato) with DLL hijacking via the StorSvc service to achieve SYSTEM privileges on Windows.

Description

Windows NTLM Elevation of Privilege Vulnerability

Exploits (4)

nomisec WORKING POC 3 stars
by Muhammad-Ali007 · local
https://github.com/Muhammad-Ali007/LocalPotato_CVE-2023-21746

This repository contains a Local Privilege Escalation (LPE) exploit for CVE-2023-21746, combining NTLM authentication manipulation (LocalPotato) with DLL hijacking via the StorSvc service to achieve SYSTEM privileges on Windows.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (multiple versions)
Auth required
Prerequisites: Low-privilege user access · Compilation of exploit components (RpcClient.exe, SprintCSP.dll) · LocalPotato.exe for file write exploitation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by TailoredSecOps · local
https://github.com/TailoredSecOps/PEREDBOEMPATAT-BOF

This repository contains a functional Cobalt Strike BOF (Beacon Object File) implementation of the LocalPotato NTLM Reflection Exploit for CVE-2023-21746. The code includes COM object implementations, SSPI hooking, and SMB/HTTP clients to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (specific versions affected by CVE-2023-21746)
No auth needed
Prerequisites: Local access to a vulnerable Windows system · Cobalt Strike or compatible BOF loader
devstral-2 · analyzed Mar 06, 2026 Full analysis →
github WORKING POC
by velikrgl · cpoc
https://github.com/velikrgl/CVE-Exploits/tree/main/CVE-2023-21746

This repository contains functional exploit code for CVE-2023-21746, a local privilege escalation vulnerability in Windows. The exploit leverages DCOM reflection and NTLM relay techniques to escalate privileges from a low-integrity context to SYSTEM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (specific versions affected by CVE-2023-21746)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Low-privilege user context
devstral-2 · analyzed Feb 27, 2026 Full analysis →
patchapalooza WORKING POC
by decoder-it · local
https://github.com/decoder-it/LocalPotato

This repository contains a functional exploit for CVE-2023-21746, leveraging DCOM and NTLM reflection to achieve local privilege escalation. The code hooks SSPI functions to swap authentication contexts between SYSTEM and the current user, enabling privilege escalation via HTTP and SMB reflection.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (specific versions affected by CVE-2023-21746)
No auth needed
Prerequisites: Local access to a vulnerable Windows system · DCOM and NTLM authentication enabled
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.8
EPSS 0.5374
EPSS Percentile 98.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2023-09-18
Status published
Products (18)
microsoft/windows_10
microsoft/windows_10 20h2
microsoft/windows_10 21h2
microsoft/windows_10 22h2
microsoft/windows_10 1607
microsoft/windows_10 1809
microsoft/windows_11 (2 CPE variants)
microsoft/windows_11 21h2 (2 CPE variants)
microsoft/windows_11 22h2 (2 CPE variants)
microsoft/windows_7
... and 8 more
Published Jan 10, 2023
Tracked Since Feb 18, 2026