CVE-2025-33073
📋 TL;DR
CVE-2025-33073 is an improper access control vulnerability in Windows SMB that allows authenticated attackers to elevate privileges over a network. This affects organizations running vulnerable Windows systems with SMB enabled. Attackers can exploit this to gain higher privileges than intended.
💻 Affected Systems
- Windows Server
- Windows Client
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full domain compromise with administrative access to all connected systems and data exfiltration.
Likely Case
Lateral movement within the network leading to data theft, ransomware deployment, or persistent access.
If Mitigated
Limited to initial access point with no privilege escalation possible.
🎯 Exploit Status
Requires authenticated access to the SMB service. Exploitation appears straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073
Restart Required: Yes
Instructions:
1. Apply the latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify the patch is installed via Windows Update history.
🔧 Temporary Workarounds
Disable SMBv1
windowsDisables the vulnerable SMB version 1 protocol
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Block SMB ports at firewall
windowsBlocks SMB network traffic to prevent remote exploitation
New-NetFirewallRule -DisplayName "Block SMB" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block
🧯 If You Can't Patch
- Implement network segmentation to isolate SMB traffic
- Enforce strict access controls and monitor SMB authentication logs
🔍 How to Verify
Check if Vulnerable:
Check if SMB is enabled and accessible on ports 139/445. Review system for missing security patches.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify the latest Windows security updates are installed via Windows Update or Get-Hotfix.📡 Detection & Monitoring
Log Indicators:
- Unusual SMB authentication attempts
- Privilege escalation events in Windows Security logs
- Multiple failed SMB connections from single source
Network Indicators:
- SMB traffic to unexpected destinations
- Anomalous SMB protocol usage patterns
SIEM Query:
source="windows_security" EventCode=4625 OR EventCode=4672 | stats count by src_ip, user🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073
- https://www.vicarius.io/vsociety/posts/cve-2025-33073-detection-script-improper-access-control-in-windows-smb-affects-microsoft-products
- https://www.vicarius.io/vsociety/posts/cve-2025-33073-mitigation-script-improper-access-control-in-windows-smb-affects-microsoft-products
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33073
