CVE-2026-24294

HIGH

Windows SMB Server - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-24294. PoCs published by adminlove520, 0xNDI.

AI-analyzed exploit summary This repository contains a functional PetitPotam exploit for CVE-2026-24294, targeting Windows EFSRPC via RPC calls to trigger authentication coercion. The code includes RPC binding logic and multiple EFS API calls to exploit the vulnerability.

Description

Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges locally.

Exploits (2)

github WORKING POC 4 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-24294

View Code ZIP pw:eip

This repository contains a functional PetitPotam exploit for CVE-2026-24294, targeting Windows EFSRPC via RPC calls to trigger authentication coercion. The code includes RPC binding logic and multiple EFS API calls to exploit the vulnerability.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows EFSRPC

No auth needed

Prerequisites: network access to target server · SMB server for capture

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 18, 2026 Full analysis →

github WORKING POC

by 0xNDI · cpoc

https://github.com/0xNDI/CVE-2026-24294

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-24294, leveraging the PetitPotam technique to coerce authentication via the EFSRPC interface. The code includes RPC binding and multiple EFS API calls to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (EFSRPC interface)

No auth needed

Prerequisites: network access to target server · SMB server for capture

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources

https://www.vicarius.io/vsociety/posts/cve-2026-24294-detection-script-improper-authentication-vulnerability-in-windows-smb-server

Various Sources

https://www.vicarius.io/vsociety/posts/cve-2026-24294-mitigation-script-improper-authentication-vulnerability-in-windows-smb-server

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24294

Scores

CVSS v3 7.8

EPSS 0.0273

EPSS Percentile 84.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287

Status published

Products (37)

Microsoft/Windows 10 Version 1607 10.0.14393.0 - 10.0.14393.8957

Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.8511

Microsoft/Windows 10 Version 21H2 10.0.19044.0 - 10.0.19044.7058

Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.7058

Microsoft/Windows 11 version 22H3 10.0.22631.0 - 10.0.22631.6783

Microsoft/Windows 11 Version 23H2 10.0.22631.0 - 10.0.22631.6783

Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.8037

Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.8037

Microsoft/Windows 11 version 26H1 10.0.28000.0 - 10.0.28000.1719

Microsoft/Windows 11 Version 26H1 10.0.28000.0 - 10.0.28000.1719

... and 27 more

Published Mar 10, 2026

Tracked Since Mar 11, 2026