CVE-2025-33073 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-06-10

Added to CISA KEV: 2025-10-20 132 DAYS BETWEEN CVE AND KEV

⚠️ CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity before patching
Apply Microsoft security updates immediately for all Windows systems
Implement SMB signing and disable SMB v1 if not already done
Monitor for unusual SMB client connections and NTLM authentication patterns
Consider network segmentation to limit SMB client exposure

Here's what is known about the CVE-2025-33073 vulnerability exploitation:

Nature of the Vulnerability: CVE-2025-33073 is an elevation of privilege vulnerability affecting the Windows SMB Client ^[1]. It involves improper access control. ^[1]

Active Exploitation: The vulnerability is actively exploited in the wild ^[1]^[2].

CISA KEV Status: CISA has added CVE-2025-33073 to its Known Exploited Vulnerabilities (KEV) Catalog ^[2].

Attack Vector: This vulnerability is a reflection attack that bypasses NTLM reflection mitigations ^[4]^[6]. It allows an authenticated attacker to relay authentication back to the victim's machine ^[4].

Exploitation Method: The vulnerability involves an NTLM reflection SMB flaw ^[3]. Publicly available proof-of-concept exploits demonstrate its exploitation ^[7]^[5]. These exploits often involve tools and techniques like LLMNR poisoning to exploit devices within the same broadcast domain, potentially without needing DNS registration ^[5]^[3].

Targeted Attacks: While the provided information confirms active exploitation, it doesn't explicitly detail whether CVE-2025-33073 has been specifically used in targeted attacks.

Internet-Facing Applications/Services: The information does not explicitly state whether this vulnerability is used as an initial attack vector for internet-facing applications or services. However, given that it is an SMB client vulnerability, it is likely exploited within a network after gaining initial access ^[1].

CVE-2025-33073 Mitigation Script - Improper Access ...
CVE-2025-33073 is an elevation of privilege vulnerability in Windows SMB Client. This flaw has been assigned a CVSSv3 score of 8.8 and is actively exploited in ...
CISA Adds Five Known Exploited Vulnerabilities to Catalog
CVE-2025-33073 Microsoft Windows SMB Client Improper Access Control Vulnerability ... These types of vulnerabilities are frequent attack vectors ...
GitHub - H1d3r/CVE-2025-33073_AD_SMB_Privilege_RCE: PoC...
CVE-2025-33073. PoC Exploit for the NTLM reflection SMB flaw.If you're in the same broadcast domain as the device and it's vulnerable for LLMNR poisioning it's possible to exploit a device without having to register a DNS record. Troubleshooting. I've seen the attack not work sometimes because the h…
Examining Relay Attacks Through the Lens of CVE-2025-33073
CVE-2025-33073 is the most recent relay attack, which enables an attacker to relay authentication back to the victim's machine – making it a reflection attack.
GitHub - dedibagus/cve-2025-33073: PoC Exploit for the NTLM...
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target 192.168.178.65 --target-ip 192.168.178.65 --cli-only --socks. Also a custom command can be ran through proxychains instead of dumping SAM…

🟢 CVE-2025-33073