Urgent Windows SMB Flaw Actively Exploited, CISA Warns
▼ Summary
– Threat actors are actively exploiting CVE-2025-33073, a high-severity Windows SMB vulnerability allowing SYSTEM privilege escalation on unpatched systems.
– The flaw impacts all Windows Server, Windows 10, and Windows 11 versions up to 24H2, and was patched by Microsoft in June 2025.
– Exploitation requires convincing a victim to connect to a malicious SMB server, enabling attackers to elevate privileges over the network.
– CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch by November 10.
– While the directive targets federal agencies, CISA urges all organizations to patch promptly due to significant risks from active exploitation.
A critical security vulnerability within the Windows Server Message Block (SMB) protocol is now being actively exploited by cybercriminals, allowing them to seize complete control over affected systems. The Cybersecurity and Infrastructure Security Agency (CISA) has officially confirmed these attacks and is urging immediate action to apply the available security patch. This flaw enables attackers to escalate their privileges to the highest SYSTEM level on any unpatched Windows machine.
Identified as CVE-2025-33073, the vulnerability impacts a broad range of Microsoft operating systems. This includes all versions of Windows Server and Windows 10, in addition to Windows 11 systems up through the 24H2 release. Microsoft addressed the issue as part of its June 2025 Patch Tuesday updates, classifying it as an improper access control weakness. This type of flaw permits an already authenticated attacker to gain higher privileges across a network connection.
According to Microsoft’s advisory, an attacker can manipulate a victim into connecting to a malicious SMB server under their control. Once this connection is established, the rogue server can compromise the communication protocol. The exploitation involves running a specially designed malicious script that tricks the target machine into initiating a connection back to the attacker’s system using SMB and performing authentication. This sequence of events results in a full privilege escalation.
Although details of this vulnerability were publicly known before the official patches were made available, Microsoft has not commented on CISA’s recent announcement regarding active exploitation in the wild. The discovery of this significant security hole is credited to a team of researchers from various organizations, including experts from CrowdStrike, Synacktiv, SySS GmbH, Google Project Zero, and RedTeam Pentesting GmbH.
In response to the active threats, CISA has added CVE-2025-33073 to its Known Exploited Vulnerabilities Catalog. This action mandates all Federal Civilian Executive Branch agencies to remediate the flaw within a three-week window, with a strict deadline of November 10, as required by Binding Operational Directive 22-01. While this directive is legally binding only for federal agencies, CISA strongly advises all private and public sector organizations to prioritize patching this vulnerability without delay.
CISA emphasized the serious risk on Monday, stating that such vulnerabilities are commonly used as entry points by malicious actors and represent a substantial threat to the entire federal network infrastructure. Prompt patching remains the most effective defense against potential attacks exploiting this weakness.
(Source: Bleeping Computer)
