Windows systems usually issue two executable copies of the request, one of which triggers the program and creates the process for that; the second is for Windows Defender, which is used to scan for malicious content.
And that's where the problem is. SMBserverCan distinguish between two kinds of requests, and through the controlled SMB server, the attacker can send two completely different files through the configuration. This means that Windows PE Loader can accept malicious files, and sent to Windows Defender is clean. Obviously, this loophole in the future may lead to greater harm.