November 7th, 2025

Active Exploitation of Windows SMB Client Vulnerability Allows SYSTEM-Level Privilege Escalation (CVE-2025-33073)

High

Our Cyber Threat Intelligence Unit is monitoring active exploitation of a high-severity vulnerability in the Windows SMB client (CVE-2025-33073), which allows attackers to escalate privileges to NT AUTHORITY\SYSTEM. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on October 20, 2025, with a remediation deadline of November 10 for U.S. Federal Civilian Executive Branch (FCEB) agencies. Public reports and vendor telemetry confirm that attackers are forcing Windows hosts to initiate SMB authentication with malicious servers, which is then exploited to gain SYSTEM-level control on unpatched or vulnerable systems. Proof-of-concept exploits and in-the-wild abuse have been observed, emphasizing the need for rapid patching and strict SMB exposure controls.

Technical Details

Attack Type: Local / Network Privilege Escalation via Improper Access Control in SMB Client.
Severity: High (CVSS: 8.8).
CVE ID: CVE-2025-33073.
Delivery Method: Attacker coerces the vulnerable Windows SMB client to authenticate to a malicious SMB or NTLM listener under attacker control.
Technique: Improper access control in the SMB client permits a crafted network interaction to trigger elevation to SYSTEM on the client machine.
- Exact exploitation chains vary; Microsoft’s advisory and vendor analyses link the root cause to SMB client handling of certain network-initiated operations.
Affected Components: All supported Windows Server and Windows 10 versions, and Windows 11 up to 24H2, prior to installation of the June 2025 security updates. Refer to the Microsoft Update Guide for exact build numbers.

Impact

Privilege Escalation: Attackers can elevate privileges to NT AUTHORITY\SYSTEM, gaining complete control over local processes, services, and security configurations.
Lateral Movement: Compromised endpoints can be used to pivot through network shares, facilitating wider domain compromise and credential theft.
Data Exposure: SYSTEM-level access allows unauthorized retrieval or manipulation of sensitive files, credentials, and enterprise data.
Operational Disruption: Attackers can disable protections, alter configurations, or deploy malware, causing downtime and integrity loss across dependent systems.
Organizational Risk: Successful exploitation may lead to business disruption, regulatory exposure, and reputational damage if patching and access controls are delayed.

Detection Method

Inventory Endpoints: Identify Windows hosts missing the June 2025 (or later) security updates. Prioritize assets with active SMB client usage.
Monitor SMB Traffic: Flag anomalous connections to untrusted SMB servers or relay patterns suggesting forced authentication.
Correlate with Host Events: Alert on new SYSTEM-level processes spawned from non-admin contexts or unusual service creations linked to SMB activity.
Inspect Event Logs: Review for SMB client errors, unexpected disconnects, or crashes coinciding with suspicious network sessions.
EDR Hunting: Search for SYSTEM process execution shortly after outbound SMB (TCP 445) connections to unknown hosts.

Indicators of Compromise

There are No Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Apply Microsoft’s June 2025 and later security updates on all Windows clients and servers.
Block outbound TCP 445 (SMB) at perimeter firewalls and NGFWs to prevent authentication to malicious external servers.
Enforce SMB signing and encryption where supported to harden against relay and coercion attacks.
Disable unnecessary SMB client features and avoid automatic mounting of untrusted SMB shares.
Use EDR and network monitoring to detect unauthorized SYSTEM-level activity and investigate any privilege escalation without administrative approval.
Educate users and administrators on the risks of forced SMB authentication and proper segmentation of management networks.

Conclusion

CVE-2025-33073 highlights the continued exploitation of Windows network components through forced authentication and privilege escalation techniques. Active exploitation confirms that unpatched SMB clients are an immediate risk to enterprise environments. We urge organizations to apply the June 2025 security updates without delay, restrict outbound SMB traffic, and hunt for abnormal SYSTEM-level activity linked to SMB sessions. Ongoing coordination between IT and security teams remain essential to prevent lateral movement and safeguard critical assets from coercion-based escalation attacks.

References

https://cybersecuritynews.com/windows-smb-vulnerability-exploited/

https://thehackernews.com/2025/10/five-new-exploited-bugs-land-in-cisas.html

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://www.helpnetsecurity.com/2025/10/21/cisa-warns-of-windows-smb-flaw-under-active-exploitation-cve-2025-33073/

https://www.bleepingcomputer.com/news/security/cisa-high-severity-windows-smb-flaw-now-exploited-in-attacks/

https://socprime.com/blog/cve-2025-33073-zero-day-vulnerability/

https://nvd.nist.gov/vuln/detail/CVE-2025-33073