In a significant development for cybersecurity, Microsoft has patched a high-risk zero-day vulnerability, identified as CVE-2025-33073, that affects Windows SMB. This vulnerability, which carries a severity score of 9.8 on the CVSS scale, was included in Microsoft's June 2025 update but received limited attention, leaving many organizations unaware of the potential threat.
"So this one’s weird. Not just technically interesting (though it is), but kind of unsettling in the way it turns long-standing Windows behavior against itself," said cybersecurity expert JoseMar, reflecting on the implications of the vulnerability. He elaborated that attackers could exploit it by coercing a machine to authenticate to them, reflecting the ensuing Kerberos ticket back to the original system, which can lead to SYSTEM privileges.
This vulnerability represents a new manifestation of a previously solved issue, with methods that had been effective since the introduction of NTLM relaying back in 2008. The novel approach leverages what is termed Reflective Kerberos Relay, which cleverly circumvents established protections. “You get NT AUTHORITY\SYSTEM. And yeah, that’s as bad as it sounds,” noted JoseMar, emphasizing the critical nature of this flaw.
Race Results
Race Results
Race Results
The mechanics behind this exploit involve sophisticated techniques, including separating the coercion target from the Service Principal Name (SPN) and using SMB to confuse Windows ticket logic, causing it to misinterpret privilege boundaries. This confusion results in the unexpected elevation of privileges, posing a substantial risk to organizations that have not applied the June 2025 patch.
Organizations using affected systems—including Windows Server 2019 to 2025, Windows 11 (pre-24H2), and all versions of Windows 10—must prioritize getting their systems updated. JoseMar suggests, “Who’s at risk? If you’re running any of the following and haven’t patched as of June 10, 2025, you’re vulnerable.”
To successfully execute the exploit, attackers would require familiarity with Kerberos internals, modified tools like krbrelayx, and a specific target configuration where SMB signing is not enforced. There have been discussions around tools like wspcoerce that could facilitate exploitation, yet a public proof of concept has yet to be fully realized.
In light of this vulnerability, JoseMar offered several recommendations for organizations to protect themselves.
Impact and Legacy
Impact and Legacy
"Maybe audit which tools in your org still depend on legacy auth protocols and… fix that?" he advised. He also recommended not unnecessarily exposing SMB—even within trusted networks—and adopting best practices like enabling Channel Binding, Extended Protection for Authentication (EPA), and enforcing SMB signing to mitigate risks associated with relaying.
The urgency surrounding this patch serves as a wake-up call for many organizations that have operated under default configurations and delayed necessary updates.
"This vuln is a good reminder that NTLM isn’t the only old protocol that needs babysitting," JoseMar concluded. He acknowledged the challenges of patch management in large organizations but cautioned, "If this kind of vuln is possible today, what do you think will surface next year?"
"This vuln is a good reminder that NTLM isn’t the only old protocol that needs babysitting,"
As research continues and awareness grows, organizations must remain proactive in maintaining cybersecurity hygiene to mitigate the risks posed by vulnerabilities like CVE-2025-33073. Failing to act could lead to significant breaches, especially as cyber threats evolve rapidly.
