CVE-2025-33073 is a high-severity vulnerability in the Windows SMB client that enables an authenticated remote attacker to escalate privileges to NT AUTHORITY\SYSTEM by abusing a logical flaw in SMB/NTLM handling when SMB signing is not enforced.
Microsoft assigned it a CVSS v3.1 base score of 8.8 (High). Proof-of-concept exploits and technical write-ups are public, and CISA added CVE-2025-33073 to the Known Exploited Vulnerabilities (KEV) catalog on October 20, 2025, citing evidence of active exploitation.
Technical overview
- Component: Windows SMB client (Windows 10/11; Windows Server 2019/2022/2025 among impacted builds per Microsoft’s advisory).
- Core issue: Improper access control enables a privilege escalation when SMB message integrity is not cryptographically enforced (no SMB signing). The attack path can leverage coerced authentication and NTLM/Kerberos reflection to obtain SYSTEM.
- Pre-conditions:
- Attacker has network position to coerce/receive SMB auth (e.g., LLMNR/NBNS poisoning, WebDAV coercion, UNC path lures).
- Target host does not require SMB signing (client and/or server side).
- Victim provides valid credentials over SMB/NTLM or Kerberos that can be reflected/relayed.
- Attacker has network position to coerce/receive SMB auth (e.g., LLMNR/NBNS poisoning, WebDAV coercion, UNC path lures).
- Impact: Code execution as SYSTEM on affected machines, potentially leading to lateral movement, persistence (services/scheduled tasks), credential material access, and domain expansion.
Exploitation in the wild
As of October 20, 2025, CISA added CVE-2025-33073 to its KEV and reported active exploitation, and public PoC/exploit artifacts available on Exploit-DB and GitHub have lowered the barrier to entry and accelerated weaponization.
Remediation Tips
- Patch now
Apply Microsoft’s June 2025 updates (or later cumulative updates) that address CVE-2025-33073 for all supported Windows versions in your estate. Validate KB deployment on endpoints and servers. - Enforce SMB signing everywhere feasible
Require SMB signing on clients and servers via Group Policy (Microsoft network client/server: Digitally sign communications (always)).
Also consider to block or quarantine systems that do not negotiate signed SMB. Public research confirms signing breaks the attack chain. - Neutralize relays/reflection
Disable LLMNR and NetBIOS over TCP/IP via GPO.
Enforce Extended Protection for Authentication (EPA), LDAP signing and channel binding, and restrict NTLM (Domain and Local Security Policy). These steps reduce broader NTLM/Kerberos relay surfaces shown to be abused around this issue. - Network controls
Block SMB (TCP/445) to/from untrusted segments and the Internet.
Monitor and alert on unsigned SMB and admin share access from user subnets.
OP Innovate’s WASP platform helps organizations continuously detect, validate, and remediate vulnerabilities like CVE-2025-33073 through automated exposure management and expert-led penetration testing. Contact us to strengthen your SMB and Active Directory defenses today.
Stay Safe. Stay Secure.
OP Innovate Research Team
