← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:26920 · Disclosed 2002-10-04

SMB NULL Session Authentication

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is an unlocked building directory, not an open bank vault

Tenable plugin 26920 flags hosts where SMB will accept an anonymous NULL session to IPC$/named pipes such as browser or spoolss, letting an unauthenticated user pull back host, share, user, group, or password-policy data depending on the server role and policy mix. In practice this is a configuration exposure, not a normal software memory-corruption bug: Tenable maps it broadly to Windows and Samba, and Microsoft documents the behavior as legacy/conditional anonymous access controlled by RestrictNullSessAccess, anonymous pipe/share lists, and related LSA settings rather than a clean product version boundary.

Tenable's HIGH is too hot for most enterprises. The decisive friction is that successful abuse usually requires network reachability to SMB first, which in modern estates means internal access or a badly exposed 445 listener, and the direct impact is typically reconnaissance/information disclosure, not code execution. It becomes more serious on domain controllers or legacy servers where anonymous pipe access leaks domain intel that feeds password spraying and lateral movement, but that is still usually a post-initial-access amplifier, not an initial breach itself.

"Useful attacker recon, not instant compromise: downgrade this from vendor HIGH to a real-world MEDIUM."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find reachable SMB

The attacker first identifies hosts answering on TCP/445 or TCP/139 with nmap, NetExec, or standard SMB negotiation. This is just target selection; no exploit has happened yet.
Conditions required:
  • Target host exposes SMB on a reachable network path
  • Firewalling allows the attacker to talk to the SMB service
Where this breaks in practice:
  • Most enterprises do not intentionally expose SMB to the internet
  • Internal segmentation, VPN requirements, NAC, and host firewalls cut the reachable population hard
Detection/coverage: Excellent coverage for the listening service itself with Nessus/Tenable and routine network discovery, but open SMB != exploitable null session.
STEP 02

Attempt anonymous session setup

Using NetExec (nxc smb <ip> -u '' -p ''), smbclient -N, rpcclient -N, or the Windows net use command, the attacker tries to establish an anonymous IPC$ session. Success depends on local policy and whether anonymous access to named pipes or shares is still enabled.
Conditions required:
  • Host allows anonymous session setup to IPC$ or specific named pipes/shares
  • Relevant policy and registry settings are permissive
Where this breaks in practice:
  • Modern Windows defaults and hardening baselines often block meaningful anonymous access
  • Many null-session findings on scans are legacy corner cases or limited pipe exposure rather than broad anonymous file access
Detection/coverage: Look for Windows 4624 with ANONYMOUS LOGON and share access events such as 5140, especially against IPC$.
STEP 03

Enumerate data through exposed pipes

If the session is accepted, tools like rpcclient, enum4linux, or NetExec query shares, users, groups, SIDs, and password policy through the exposed RPC interfaces. On domain-joined systems, especially DC-adjacent infrastructure, this can give the attacker a cleaner map of identities and trust relationships.
Conditions required:
  • Anonymous token has read-level access to the relevant RPC interfaces or share metadata
  • The host role exposes useful information through those interfaces
Where this breaks in practice:
  • Many systems will only reveal limited metadata
  • Member servers and workstations usually leak far less strategic value than domain controllers
Detection/coverage: Security tools rarely flag the enumeration itself as 'exploit' activity unless behavior analytics correlate repeated RPC/user-discovery actions.
STEP 04

Turn recon into follow-on intrusion

The null session by itself normally does not deliver RCE. Instead, attackers use the harvested names, shares, and password-policy data to tune password spraying, target service accounts, and improve lateral movement with separate tooling such as NetExec, Impacket, or CrackMapExec-style workflows.
Conditions required:
  • Attacker has another access path after recon, such as guessed credentials or an internal foothold
  • Environment has weak passwords, reused local admin, or permissive lateral movement paths
Where this breaks in practice:
  • This step requires a second failure elsewhere in the estate
  • MFA, tiering, LAPS, and EDR all break the chain after the recon stage
Detection/coverage: Scanner coverage ends here; defenders need SIEM/EDR analytics for spray attempts, NTLM/Kerberos failures, and lateral-movement tooling.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo current authoritative evidence of active exploitation campaigns was found in the sources reviewed. This issue is a long-lived misconfiguration class that attackers routinely test during recon, but it is not a current headline exploitation driver.
KEV statusNot listed in CISA KEV based on the current catalog and searches for CVE-2002-1117. That matters: no government-curated evidence of widespread active exploitation pressure.
Proof-of-concept availabilityPublic tradecraft is trivial and mature: NetExec, rpcclient, smbclient, and older enum4linux workflows all support anonymous SMB/RPC testing. This is easy to verify, but easy does not equal high impact.
EPSSFor the mapped legacy CVE, public EPSS reporting shows about 0.66% with roughly 68.9th percentile. That is not zero, but it is nowhere near the profile of routinely weaponized enterprise-takedown bugs.
Vendor scoring vs realityTenable labels the plugin HIGH and publishes CVSS v3 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). In practice, the real impact is usually confidentiality-only recon with follow-on value, so the vendor baseline overstates day-one blast radius.
Affected scopeThis is not a neat version-range bug. It affects Windows or Samba hosts configured to permit anonymous SMB/null-session access to IPC$ or specific named pipes/shares; Tenable lists broad windows and samba CPE coverage.
Fixed stateThere is usually no patch version to chase. The secure state is configuration-based: enable Restrict anonymous access to Named Pipes and Shares, keep anonymous pipe/share lists empty unless explicitly required, and avoid permissive anonymous LSA settings. Microsoft notes different legacy behavior across server generations.
Exposure realityDo not mistake 'host answers on 445' for 'host is exploitable via null session.' The reachable population is already narrowed by SMB exposure, and the exploitable population is narrowed again by anonymous-access policy. That compounding friction is the main reason this lands at MEDIUM.
Disclosure / ageThis is old. Tenable lists vulnerability publication back to 1999-07-14 and maps one related legacy CVE published 2002-10-04. Old bugs still matter when the misconfiguration survives, but age plus mature mitigations lower surprise factor.
Research / trackingTracked by Tenable under plugin 26920, historically linked to CVE-1999-0519, CVE-1999-0520, and CVE-2002-1117. Microsoft documentation is the best source for what modern Windows will and will not actually expose anonymously.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.4/10)

The single biggest downgrade factor is attacker position: this usually requires access to an SMB service that is reachable only from the internal network or over a trusted path, making it a post-initial-access reconnaissance amplifier more than an initial-compromise event. The direct effect is usually information disclosure through legacy RPC/IPC exposure, not one-shot takeover, which keeps it out of HIGH absent confirmed exposure on domain controllers or internet-facing 445.

HIGH The finding is usually configuration-driven rather than software-version-driven
HIGH Direct impact is typically reconnaissance and information disclosure, not RCE
MEDIUM Exact blast radius on a given host depends on role, anonymous pipe list, and domain configuration

Why this verdict

  • Requires SMB reachability first: unauthenticated remote sounds scary, but in real estates 445 is usually internal-only or segmented, which sharply reduces the reachable population.
  • Implies prior foothold in many environments: if an attacker must already be on the LAN/VPN or pivoted into a server segment, the bug is no longer an initial-access problem; it is a recon booster after compromise.
  • Impact is narrower than vendor CVSS suggests: the null session itself usually yields enumeration data, not direct code execution or privilege escalation. You need a second weakness to cash out that intel.
  • Modern controls should break later steps: LAPS, MFA, segmentation, EDR, and spray detection all sit between anonymous enumeration and actual host takeover.
  • Still worth fixing on identity infrastructure: on domain controllers or legacy member servers with permissive anonymous pipes, the leaked identity and policy data can materially improve password spraying and lateral movement.

Why not higher?

This is not a broadly reliable one-packet compromise. Real exploitation typically needs internal network access, SMB reachability, and a host role/configuration that actually returns useful anonymous data. Even after success, the attacker usually gets reconnaissance, not immediate system control.

Why not lower?

It is still unauthenticated network exposure and the tradecraft is commodity-level simple. On the wrong asset class, especially a DC or legacy server with permissive anonymous RPC exposure, the intel leak materially reduces attacker effort for the next stage.

05 · Compensating Control

What to do — in priority order.

  1. Block unnecessary SMB paths — Constrain TCP/445 and 139 with host firewall and network segmentation so only approved admin, file, and application paths remain. This directly removes the attacker-position prerequisite; for a MEDIUM verdict there is no mitigation SLA, so fold this into the next hardening cycle and complete within the 365-day remediation window where cleanup is still needed.
  2. Enforce anonymous-access restrictions — Set Network access: Restrict anonymous access to Named Pipes and Shares to enabled, keep Named Pipes that can be accessed anonymously empty unless there is a documented exception, and review anonymous share lists. This is the control that most directly kills the finding at its root; for MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window.
  3. Audit domain controllers first — Prioritize DCs, print servers, and old application/file servers because those roles are where null-session leakage has the highest operational value to attackers. Validate whether anonymous access is truly needed before making exceptions, and complete that review within the 365-day remediation window.
  4. Hunt anonymous SMB activity — Monitor for 4624 anonymous logons and 5140 access to IPC$, then correlate with repeated RPC enumeration from the same source. This will not remove the weakness, but it raises the cost of abuse while you clean up legacy access paths within the 365-day remediation window.
  5. Shrink follow-on blast radius — Harden the controls that attackers use after recon: LAPS or equivalent local-admin rotation, password-spray detection, admin tiering, and SMB segmentation. These do not fix null sessions, but they blunt the payoff from the information leak while you finish remediation within the 365-day window.
What doesn't work
  • SMB signing alone does not stop anonymous enumeration; it protects message integrity, not whether the server grants an anonymous token in the first place.
  • EDR only is not enough because the abuse often looks like ordinary SMB/RPC traffic and may complete before process telemetry on the target becomes useful.
  • Closing internet exposure only is insufficient if flat internal networks still let any workstation hit server SMB; this issue is often a lateral-movement enabler after initial access.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host from an elevated PowerShell session so it can read the relevant registry keys. Invoke it as powershell.exe -ExecutionPolicy Bypass -File .\check-nullsession.ps1; local administrator is recommended. This is a configuration triage check, not a live exploit test.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# check-nullsession.ps1

# Purpose: Triage whether a Windows host is likely vulnerable to SMB NULL session exposure.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Get-RegValue {
    param(
        [string]$Path,
        [string]$Name
    )
    try {
        $item = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop
        return $item.$Name
    }
    catch {
        return $null
    }
}

try {
    $lanmanPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'
    $lsaPath    = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa'

    $restrictNullSessAccess = Get-RegValue -Path $lanmanPath -Name 'RestrictNullSessAccess'
    $nullSessionPipes       = Get-RegValue -Path $lanmanPath -Name 'NullSessionPipes'
    $nullSessionShares      = Get-RegValue -Path $lanmanPath -Name 'NullSessionShares'
    $everyoneIncludesAnon   = Get-RegValue -Path $lsaPath    -Name 'EveryoneIncludesAnonymous'
    $restrictAnonymous      = Get-RegValue -Path $lsaPath    -Name 'RestrictAnonymous'

    $service = Get-Service -Name 'LanmanServer' -ErrorAction SilentlyContinue
    if (-not $service) {
        Write-Output 'UNKNOWN - Server service (LanmanServer) not found'
        exit 2
    }

    # Normalize multi-string values

    if ($nullSessionPipes -isnot [System.Array] -and $nullSessionPipes) {
        $nullSessionPipes = @($nullSessionPipes)
    }
    if ($nullSessionShares -isnot [System.Array] -and $nullSessionShares) {
        $nullSessionShares = @($nullSessionShares)
    }

    $reasons = @()
    $unknown = @()

    if ($restrictNullSessAccess -eq $null) {
        $unknown += 'RestrictNullSessAccess missing'
    } elseif ([int]$restrictNullSessAccess -ne 1) {
        $reasons += 'RestrictNullSessAccess is not enabled (expected 1)'
    }

    if ($nullSessionPipes -and $nullSessionPipes.Count -gt 0) {
        $reasons += ('Anonymous named pipes configured: ' + ($nullSessionPipes -join ', '))
    }

    if ($nullSessionShares -and $nullSessionShares.Count -gt 0) {
        $reasons += ('Anonymous shares configured: ' + ($nullSessionShares -join ', '))
    }

    if ($everyoneIncludesAnon -ne $null -and [int]$everyoneIncludesAnon -eq 1) {
        $reasons += 'EveryoneIncludesAnonymous is enabled'
    }

    if ($restrictAnonymous -eq $null) {
        $unknown += 'RestrictAnonymous missing'
    } elseif ([int]$restrictAnonymous -lt 1) {
        $reasons += 'RestrictAnonymous is permissive (< 1)'
    }

    if ($reasons.Count -gt 0) {
        Write-Output ('VULNERABLE - ' + ($reasons -join '; '))
        exit 1
    }

    if ($unknown.Count -gt 0) {
        Write-Output ('UNKNOWN - ' + ($unknown -join '; ') + '. No explicit insecure settings found, but the registry state is incomplete for a confident verdict.')
        exit 2
    }

    Write-Output 'PATCHED - Anonymous pipe/share access appears restricted and no permissive null-session settings were found'
    exit 0
}
catch {
    Write-Output ('UNKNOWN - ' + $_.Exception.Message)
    exit 2
}
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a configuration cleanup and exposure-reduction task, not an all-hands breach emergency. First, query your scan data for 26920 on domain controllers, print servers, old file servers, and anything with broad SMB reachability; validate whether the finding is a true anonymous pipe/share exposure or just a legacy edge case. Because this reassessment lands at MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window unless you discover internet-exposed SMB or identity-tier hosts leaking meaningful anonymous data, in which case accelerate locally. Standardize the secure GPO baseline, remove anonymous pipe/share exceptions, and close unnecessary SMB paths so the estate is fully cleaned up inside the noisgate remediation SLA of ≤365 days.

Sources

  1. Tenable Nessus Plugin 26920
  2. Tenable CVE-2002-1117 record
  3. NVD CVE-2002-1117
  4. Microsoft Learn - IPC$ share and null session behavior in Windows
  5. Microsoft Learn - Restrict anonymous access to Named Pipes and Shares
  6. Microsoft Learn - Named Pipes that can be accessed anonymously
  7. NetExec Wiki - Enumerate Null Sessions
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.