CISA warns of Windows SMB flaw under active exploitation (CVE-2025-33073)

CVE-2025-33073, a Windows SMB Client vulnerability that Microsoft fixed in June 2025, is being exploited by attackers.

The confirmation comes from the Cybersecurity and Infrastructure Security Agency (CISA), which has added the flaw to its Known Exploited Vulnerabilities catalog, presumably based on credible reports.

About CVE-2025-33073

CVE-2025-33073 allows for privilege escalation, enabling attackers to gain SYSTEM (highest) privileges on a vulnerable Windows or Windows Server system.

“To exploit this vulnerability, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate,” Microsoft says. “Upon connecting, the malicious server could compromise the protocol.”

An attacker could also convince a target user to execute this script.

When Microsoft released the fix, it said that the vulnerability was publicly disclosed but not actively exploited.

On the following day, the company attributed discovery of the flaw to a number of researchers: CrowdStrike’s Keisuke Hirata; Synacktiv’s Wilfried Bécard; GuidePoint Security’s Cameron Stish; BNP Paribas’ Ahamada M’Bamba; SySS GmbH’s Stefan Walter and Daniel Isern; RedTeam Pentesting GmbH; and Google Project Zero’s James Forshaw.

Some of these researchers also published technical details about the vulnerability.

Bécard and his colleague Guillaume André noted that it “bypasses NTLM reflection mitigations and allows an authenticated remote attacker to execute arbitrary commands as SYSTEM on any machine which does not enforce SMB signing” and that even though Microsoft considers CVE-2025-33073 to be an elevation of privilege vulnerability, it is actually an authenticated remote command execution flaw.

Other researchers have released proof-of-concept exploits.

Other exploited vulnerabilities

As per usual, CISA did not share details about the attacks – it just directed US Federal Civilian Executive Branch (FCEB) agencies to remediate it by November 10, 2025.

At the same time and within the same period, the agencies have also been ordered to mitigate:

• An old vulnerability affecting Apple’s iOS and macOS (CVE-2022-48503)
• A recently patched SSRF vulnerability (CVE-2025-61884) in Oracle E-Business Suite, which may have been leveraged in recent attacks by Cl0p
• Two authentication bypass vulnerabilities (CVE-2025-2746, CVE-2025-2747) in Kentico Xperience Staging Sync Server, discovered and unveiled by watchTowr researchers.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!