Attackers are actively exploiting a critical Windows SMB client vulnerability (CVE-2025-33073) in the wild. To help safeguard your environment and your customers’, please review and apply the best practices outlined in this Cybersecurity Threat Advisory.
What is the threat?
CVE-2025-33073 is a vulnerability in the Windows SMB client that allows attackers to gain SYSTEM-level privileges by tricking a Windows device into authenticating to a malicious SMB server.
In practice, an attacker can send a crafted script or SMB message that causes the victim’s device to initiate a connection to an attacker-controlled host. When the SMB client attempts to authenticate, the attacker can intercept and manipulate the session, escalating privileges to SYSTEM. Upon successful exploitation of this vulnerability, a network-based, authenticated attacker can take full control of an unpatched system.
Why is it noteworthy?
This high-severity vulnerability (CVSS 8.8) is under active exploitation by threat actors. CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog, confirming that attackers are using it in real-world incidents.
Attackers can trigger this exploit simply by luring a user or service to connect to a malicious SMB endpoint, turning it into a powerful tool for post-compromise escalation. In networks where SMB signing isn’t enforced, the exploit bypasses existing NTLM relay and reflection mitigations, according to researchers.
What is the exposure or risk?
All supported versions of Windows Server and Windows 10/11 (up to 24H2) are affected if not patched. A local user or process with network access to SMB can escalate privileges to SYSTEM, gaining full control of the machine.
In domain environments—especially where SMB signing is not enforced—compromising a server or domain controller could allow attackers to execute commands as SYSTEM and potentially steal or misuse domain credentials.
What are the recommendations?
Organizations should operate under the assumption that adversaries may attempt to use this vulnerability to expand access within compromised networks. Barracuda recommends the following actions to mitigation your risks:
- Deploy Microsoft’s June 2025 security updates that address CVE-2025-33073 across all Windows servers and endpoints at the earliest availability.
- Inventory all Windows hosts and confirm the June 2025 update is installed using a patch or endpoint management tool.
- Monitor for unusual outbound SMB connections or authentication attempts, and restrict SMB access to untrusted networks.
- Block SMB client traffic to external or unknown servers where feasible.
- Enable and require SMB signing, especially on domain controllers and critical servers to reduce exploitability.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/cisa-high-severity-windows-smb-flaw-now-exploited-in-attacks/
- https://www.helpnetsecurity.com/2025/10/21/cisa-warns-of-windows-smb-flaw-under-active-exploitation-cve-2025-33073/
- https://www.secpod.com/blog/act-fast-smb-vulnerability-lets-attackers-gain-system-level-access/
- https://www.theregister.com/2025/10/21/cisa_windows_smb_bug/
- https://thehackernews.com/2025/10/five-new-exploited-bugs-land-in-cisas.html
- https://www.databreachtoday.com/cisa-flags-highly-exploitable-windows-smb-flaw-a-29778
- https://nvd.nist.gov/vuln/detail/CVE-2025-33073
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.