Normal view

Received before yesterday

Active Exploitation of Critical Windows SMB Flaw CVE-2025-33073 Spotted

✇Cybersecurity News and Magazine
By:Ashish Khaitan
21 October 2025 at 05:39

CVE-2025-33073

A flaw rooted in the Server Message Block (SMB) protocol of Windows enables attackers to escalate privileges to SYSTEM level on vulnerable Windows devices, potentially granting full control over affected systems.  The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding the active exploitation of this high-severity Windows vulnerability, tracked as CVE-2025-33073.

Details of the CVE-2025-33073 SMB Flaw

CVE-2025-33073 is a privilege escalation vulnerability found in the Windows SMB client, affecting a wide range of Microsoft operating systems, including all Windows Server versions, Windows 10, and Windows 11 up to the 24H2 update. Microsoft disclosed the flaw on June 10, 2025, as part of its Patch Tuesday updates, alongside a security bulletin describing the issue as an improper access control weakness (classified under CWE-284).  The vulnerability allows an authorized attacker to elevate privileges remotely without requiring user interaction, making it especially dangerous. Once exploited, attackers can gain SYSTEM-level privileges, effectively allowing them to take over the targeted device. 

How the Exploit Works

The exploitation method involves tricking a victim’s Windows machine into connecting to a malicious SMB server controlled by the attacker. According to Microsoft, "an attacker could execute a specially crafted malicious script to coerce the victim's machine to connect back to the attack system using SMB and authenticate." This connection enables the attacker to exploit improper access controls within the SMB protocol, leading to elevated privileges.  In practice, this means that an attacker does not necessarily need direct access to the system but can trigger the vulnerability over the network by luring users to connect to malicious SMB servers. This method amplifies the risk of remote attacks, especially within corporate networks where SMB is widely used for file sharing and communications. 

Severity and Impact

The Common Vulnerability Scoring System (CVSS) rates CVE-2025-33073 as an 8.8 (base) with a 7.9 environmental score, indicating a high level of severity. The flaw has the following characteristics: 
  • Attack Vector: Network 
  • Attack Complexity: Low 
  • Privileges Required: Low 
  • User Interaction: None 
  • Scope: Unchanged 
  • Confidentiality, Integrity, Availability Impact: High 
Given these factors, the vulnerability poses a direct risk to affected Windows systems. 

CISA’s Response and Federal Directive

In response to reports of active exploitation, CISA has added CVE-2025-33073 to its Known Exploited Vulnerabilities Catalog. This inclusion triggers a compliance requirement for Federal Civilian Executive Branch (FCEB) agencies, mandating them to patch affected systems by November 10, 2025, as per Binding Operational Directive (BOD) 22-01. This directive aims to reduce the attack surface and protect government infrastructure from escalating cyber threats.  While Microsoft’s original advisory did not confirm active exploitation at the time of patch release, CISA’s statement indicates that threat actors have since begun leveraging this SMB flaw in real-world attacks, highlighting the urgency for organizations to apply security updates promptly. 

Researchers Behind the Discovery

Microsoft credited multiple security researchers and firms with uncovering the CVE-2025-33073 vulnerability, underscoring the collaborative nature of cybersecurity discovery. Notable contributors include Keisuke Hirata, Wilfried Bécard, Stefan Walter, Daniel Isern, James Forshaw, RedTeam Pentesting GmbH, Cameron Stish, and Ahamada M'Bamb. Their combined efforts led to the timely identification and remediation of this critical Windows SMB flaw.  CVE-2025-33073 represents a cybersecurity risk for Windows users, given its ability to elevate privileges remotely via the SMB protocol. With confirmed active exploitation by threat actors, organizations, especially those running Windows Server, Windows 10, and Windows 11 systems, are strongly urged to apply Microsoft’s June 2025 patches immediately. Failure to do so could lead to unauthorized SYSTEM-level access and potentially devastating network breaches. 

Patch Tuesday, June 2025 Edition

✇Krebs on Security
By:BrianKrebs
10 June 2025 at 20:10

Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public.

The sole zero-day flaw this month is CVE-2025-33053, a remote code execution flaw in the Windows implementation of WebDAV — an HTTP extension that lets users remotely manage files and directories on a server. While WebDAV isn’t enabled by default in Windows, its presence in legacy or specialized systems still makes it a relevant target, said Seth Hoyt, senior security engineer at Automox.

Adam Barnett, lead software engineer at Rapid7, said Microsoft’s advisory for CVE-2025-33053 does not mention that the Windows implementation of WebDAV is listed as deprecated since November 2023, which in practical terms means that the WebClient service no longer starts by default.

“The advisory also has attack complexity as low, which means that exploitation does not require preparation of the target environment in any way that is beyond the attacker’s control,” Barnett said. “Exploitation relies on the user clicking a malicious link. It’s not clear how an asset would be immediately vulnerable if the service isn’t running, but all versions of Windows receive a patch, including those released since the deprecation of WebClient, like Server 2025 and Windows 11 24H2.”

Microsoft warns that an “elevation of privilege” vulnerability in the Windows Server Message Block (SMB) client (CVE-2025-33073) is likely to be exploited, given that proof-of-concept code for this bug is now public. CVE-2025-33073 has a CVSS risk score of 8.8 (out of 10), and exploitation of the flaw leads to the attacker gaining “SYSTEM” level control over a vulnerable PC.

“What makes this especially dangerous is that no further user interaction is required after the initial connection—something attackers can often trigger without the user realizing it,” said Alex Vovk, co-founder and CEO of Action1. “Given the high privilege level and ease of exploitation, this flaw poses a significant risk to Windows environments. The scope of affected systems is extensive, as SMB is a core Windows protocol used for file and printer sharing and inter-process communication.”

Beyond these highlights, 10 of the vulnerabilities fixed this month were rated “critical” by Microsoft, including eight remote code execution flaws.

Notably absent from this month’s patch batch is a fix for a newly discovered weakness in Windows Server 2025 that allows attackers to act with the privileges of any user in Active Directory. The bug, dubbed “BadSuccessor,” was publicly disclosed by researchers at Akamai on May 21, and several public proof-of-concepts are now available. Tenable’s Satnam Narang said organizations that have at least one Windows Server 2025 domain controller should review permissions for principals and limit those permissions as much as possible.

Adobe has released updates for Acrobat Reader and six other products addressing at least 259 vulnerabilities, most of them in an update for Experience Manager. Mozilla Firefox and Google Chrome both recently released security updates that require a restart of the browser to take effect. The latest Chrome update fixes two zero-day exploits in the browser (CVE-2025-5419 and CVE-2025-4664).

For a detailed breakdown on the individual security updates released by Microsoft today, check out the Patch Tuesday roundup from the SANS Internet Storm Center. Action 1 has a breakdown of patches from Microsoft and a raft of other software vendors releasing fixes this month. As always, please back up your system and/or data before patching, and feel free to drop a note in the comments if you run into any problems applying these updates.

❌