NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Schedule a Demo
Just in Time

Just in Time Bulletin: CVE-2025-33073 Reflective Kerberos Relay Attack

Jun 22, 2025

What is CVE-2025-33073?

CVE-2025-33073, also known as the Reflective Kerberos Relay Attack, is a critical privilege escalation vulnerability in Windows hosts. Discovered by RedTeam Pentesting in January 2025, this logical flaw bypasses existing NTLM reflection mitigations.

Key aspects of the vulnerability:

  • Attack Mechanism: An attacker coerces a Windows host to authenticate via SMB. The attacker then relays the computer account’s Kerberos ticket back to the same host via SMB. This process incorrectly identifies certain DNS records as equivalent to localhost, leading to a local NTLM authentication and allowing the attacker to gain NT AUTHORITY\SYSTEM privileges.
  • Impact: Successful exploitation can lead to remote code execution as SYSTEM on the vulnerable machine.
  • Mitigation:
    • Microsoft released a patch for CVE-2025-33073 on June 10, 2025, as part of Patch Tuesday. The patch prevents SMB connections when a target name with marshalled target information is detected.
    • Enforcing SMB signing on Windows hosts is a crucial preventative measure against this and similar authentication relay vulnerabilities.

 

How bad is this?

According to the National Vulnerability Database (NVD), CVE-2025-33073 has a CVSS 3.x Base Score of 8.8 (HIGH) and is categorized under CWE-284 Improper Access Control.

Severity: Critical

  • Domain access is required
  • Trivial exploitation

 

Who is affected by this?

Product
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server 2025
Windows 11 Version 24H2 for x64-based Systems
Windows 11 Version 24H2 for ARM64-based Systems
Windows Server 2022, 23H2 Edition (Server Core installation)

How is it exploited?

This vulnerability is exploitable remotely by an attacker authenticated to a local or domain user group.

 

How do I protect myself?

Microsoft has released a patch to address this vulnerability. Please reference the Microsoft advisory for version specific downloads.

 

Mitigating factors?

Enabling SMB signing prevents successful exploitation. This demonstrates the benefit of defense in depth, which in this instance neutralized the risk of a zero-day.

 

Additional Resources:

Resources
Read more from NopSec's cyber threat exposure management and cybersecurity experts.
Read All