Executive Summary
In June 2025, Microsoft disclosed CVE-2025-33073, a critical vulnerability in the Windows SMB client that allows attackers to perform NTLM reflection attacks, leading to privilege escalation to SYSTEM level on affected systems. This flaw enables authenticated attackers to coerce a Windows host into authenticating to a malicious SMB server, which then reflects the authentication back to the victim, granting elevated privileges. The vulnerability affects Windows systems where SMB signing is not enforced, including various versions of Windows 10, 11, and Windows Server. (helpnetsecurity.com)
The exploitation of CVE-2025-33073 underscores the persistent risks associated with NTLM relay attacks and the importance of enforcing SMB signing across all systems. Organizations are urged to apply the security updates released by Microsoft in June 2025 and to review their network configurations to mitigate potential exploitation paths. (helpnetsecurity.com)
Why This Matters Now
Despite the availability of patches since June 2025, CVE-2025-33073 remains actively exploited, highlighting the urgency for organizations to apply updates and enforce SMB signing to prevent privilege escalation attacks. (helpnetsecurity.com)
Attack Path Analysis
An attacker exploited CVE-2025-33073 by coercing a domain-joined machine to authenticate to a malicious SMB server, leading to SYSTEM-level access. Utilizing this access, the attacker escalated privileges by capturing the machine's Ticket Granting Ticket (TGT) through unconstrained delegation. With the TGT, the attacker moved laterally to the domain controller, performing a DCSync operation to extract domain credentials. The attacker established command and control by maintaining SYSTEM-level access on compromised machines. Subsequently, sensitive data was exfiltrated from the domain controller. The attack culminated in full domain compromise, allowing the attacker to manipulate or destroy critical assets.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited CVE-2025-33073 by coercing a domain-joined machine to authenticate to a malicious SMB server, leading to SYSTEM-level access.
Related CVEs
CVE-2025-33073
CVSS 8.8Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.
Affected Products:
Microsoft Windows Server 2008 – R2 SP1
Microsoft Windows Server 2012 – R2
Microsoft Windows Server 2012 – -
Microsoft Windows Server 2008 – SP2
Microsoft Windows 10 1507 – < 10.0.10240.21034
Microsoft Windows 10 1607 – < 10.0.14393.8148
Microsoft Windows 10 1809 – < 10.0.17763.7434
Microsoft Windows 10 21H2 – < 10.0.19044.5965
Microsoft Windows 10 22H2 – < 10.0.19045.5965
Microsoft Windows 11 22H2 – < 10.0.22621.5472
Microsoft Windows 11 23H2 – < 10.0.22631.5472
Microsoft Windows 11 24H2 – < 10.0.26100.4270
Microsoft Windows Server 2016 – < 10.0.14393.8148
Microsoft Windows Server 2019 – < 10.0.17763.7434
Microsoft Windows Server 2022 – < 10.0.20348.3745
Microsoft Windows Server 2022 23H2 – < 10.0.25398.1665
Microsoft Windows Server 2025 – < 10.0.26100.4270
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
LLMNR/NBT-NS Poisoning and SMB Relay
Valid Accounts
External Remote Services
Use Alternate Authentication Material: Pass the Ticket
OS Credential Dumping: LSASS Memory
Application Layer Protocol: SMB/Windows Admin Shares
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms
Control ID: Identity and Access Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
CVE-2025-33073 NTLM reflection attacks bypass SMB signing protections, enabling privilege escalation to compromise domain controllers storing sensitive financial data and customer records.
Health Care / Life Sciences
Unconstrained delegation vulnerabilities allow attackers to escalate from standard domain users to SYSTEM access, threatening HIPAA-protected patient data and critical healthcare infrastructure.
Government Administration
One-hop attacks through member servers circumvent Tier 0 protections, potentially compromising classified systems and enabling unauthorized access to government domain controllers nationwide.
Information Technology/IT
IT organizations face direct exposure as attack targets, with legacy applications using unconstrained delegation creating pathways for complete Active Directory domain compromise.
Sources
- Reflecting on Your Tier Model: CVE-2025-33073 and the One-Hop Problemhttps://www.praetorian.com/blog/cve-2025-33073-ntlm-reflection-one-hop/Verified
- Windows SMB Client Elevation of Privilege Vulnerabilityhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073Verified
- CVE-2025-33073 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-33073Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is relevant to this incident as it could likely limit the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and monitoring controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Aviatrix CNSF would likely limit the attacker's ability to exploit the compromised system further by enforcing strict segmentation and identity-aware policies.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely constrain the attacker's ability to escalate privileges by enforcing strict access controls and limiting interactions between workloads.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely limit the attacker's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely detect and limit unauthorized command and control communications by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit data exfiltration by controlling and monitoring outbound traffic.
While Aviatrix CNSF could likely reduce the attacker's ability to escalate privileges and move laterally, the potential for data deletion and operational disruption may still exist if initial access is achieved.
Impact at a Glance
Affected Business Functions
- Active Directory Services
- Network File Sharing
- User Authentication
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive user credentials and domain controller access.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce SMB signing across all domain-joined systems to prevent NTLM relay attacks.
- • Disable unconstrained delegation to mitigate the risk of TGT theft.
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to suspicious activities.
- • Regularly update and patch systems to address known vulnerabilities like CVE-2025-33073.
