Critical Windows SMB Flaw (CVE-2025-33073) Exposes Systems to Full Takeover

A significant privilege escalation vulnerability, identified as CVE-2025-33073, has been discovered in the Windows Server Message Block (SMB) client, allowing authenticated attackers to gain complete control over affected systems. The flaw, which leverages a sophisticated technique dubbed the "Reflective Kerberos Relay Attack," has prompted Microsoft to release security updates as part of its June 2025 Patch Tuesday.

The vulnerability resides in the way the Windows SMB client handles access control, enabling an attacker who has already gained a foothold in a network with regular user privileges to elevate their access to the highest level, NT AUTHORITY\SYSTEM. This level of access grants the attacker full control over the compromised machine, allowing them to install malware, steal sensitive data, disable security measures, and move laterally across the network.

The "Reflective Kerberos Relay Attack" Explained

At the heart of this vulnerability is a clever manipulation of the Kerberos authentication protocol. Unlike many critical vulnerabilities, this one does not allow for unauthenticated remote code execution. Instead, an attacker must first convince a Windows machine to connect to a malicious SMB server they control. This can be achieved through various methods, including phishing emails containing links to malicious SMB shares.

Once the victim's machine attempts to authenticate with the attacker's server, the attacker relays this authentication attempt back to the victim's machine. This "reflective" maneuver tricks the system into believing it is authenticating itself, resulting in the attacker being granted a SYSTEM-level token. This attack effectively bypasses protections that were put in place to mitigate similar NTLM relay attacks years ago. Researchers at Synacktiv and RedTeam Pentesting, who are credited with discovering the vulnerability, found a way to abuse how the Local Security Authority Subsystem Service (LSASS) handles target information when interacting with the SMB client.

Widespread Impact and Affected Systems

The vulnerability affects a broad range of Windows operating systems, including all supported versions of Windows 10 prior to 24H2, Windows 11 up to 23H2, and Windows Server 2019, 2022, and 2025. A crucial precondition for a successful attack is that SMB signing is not enforced on the target system. While SMB signing is enabled by default on domain controllers, many other systems on a network may not have this protection enabled, leaving them vulnerable.

The discovery of CVE-2025-33073 underscores the ongoing threat of vulnerabilities in fundamental network protocols like SMB. The fact that a proof-of-concept (PoC) exploit is already available in the wild heightens the urgency for organizations to take immediate action.

Mitigation and Best Practices

Microsoft has addressed this vulnerability in its June 2025 security updates and urges all users to apply them immediately. In addition to patching, the most critical mitigation step is to enforce SMB signing on all Windows hosts. This can be configured through Group Policy and prevents the relay attack that is central to this vulnerability.

Security professionals also recommend monitoring networks for unusual SMB connections and coercion attempts, as well as reviewing Active Directory DNS for any suspicious hostnames. This vulnerability serves as a stark reminder of the importance of a layered defense strategy, combining timely patch management with robust security configurations.