CVE-2025-33073 | MS | PE
| Vulnerability | CVE‑2025‑33073 |
|---|---|
| Type | Improper Access Control (CWE‑284) |
| Description | Improper access control in Windows SMB (client-side) allows an authenticated attacker to elevate privileges over a network. |
| Affected Systems | All domain-joined Windows hosts that do not require SMB signing of incoming connections. In their default configurations, this includes all Windows 10 and 11 versions up to 23H2 and all Windows Server versions including 2025 24H2 and excluding domain controllers. |
| Attack Vector | Remote, network-based. Requires valid credentials and involves coercing lsass.exe (SYSTEM) to authenticate to a controlled SMB listener using manipulated DNS names that resemble the target host. |
| Exploit Mechanism | 1. Attacker sets up a DNS record pointing to their listener using Active Directory Integrated DNS (ADIDNS). 2. Coerces SMB client into authenticating to attacker’s controlled host. 3. Triggers local NTLM or Kerberos reflection, capturing SYSTEM tokens. 4. Execute commands with SYSTEM privilege. |
| Impact of the Bug | - Remote SYSTEM-level code execution via SMB |
| Detection Techniques | - Monitor SMB/RPC authentication attempts to suspicious hostnames - Detect use of atypical DNS names matching local host patterns - Log and analyze Windows Event IDs (4624, 5145) - IDS/EDR monitoring for PetitPotam, NTLM/Kerberos relay tools |
| IOCs Related to Exploitation | - DNS record manipulation, Newly added DNS hostname with pattern such as 1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA pointing internal IP - Use of PetitPotam, ntlmrelayx, krbrelayx. |
| Mitigation Steps | - Apply Microsoft’s June 2025 patch for CVE‑2025‑33073 (SMB client update) - Enforce SMB signing via Group Policy |
| Workaround if Available | Temporary mitigation: enforce SMB signing. No other official workaround; patching remains the best defense. |
| References | - Microsoft MSRC Advisory - SYNACTIV Publication - SySS Tech Blog Post - RedTeam Pentesting GmbH Article |