Share
## https://sploitus.com/exploit?id=67F637FC-5651-557F-9948-A2BFAA8982D4
# CVE-2025-33073 โ€” Windows SMB Client NTLM Reflection EoP

[![CVE](https://img.shields.io/badge/CVE-2025--33073-red.svg)](https://vulners.com/cve/CVE-2025-33073)
[![Impact](https://img.shields.io/badge/impact-Elevation%20of%20Privilege-orange.svg)](https://nvd.nist.gov/vuln/detail/CVE-2025-33073)
[![CWE](https://img.shields.io/badge/CWE-284-blue.svg)](https://cwe.mitre.org/data/definitions/284.html)
[![CISA KEV](https://img.shields.io/badge/CISA-KEV%20listed-darkred.svg)](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
[![Status](https://img.shields.io/badge/exploited-in%20the%20wild-critical.svg)](#)

> Research writeup by **Sentinel AI Defense**. Defensive analysis only โ€” no working exploit
> or PoC is published here.

An improper access control flaw in the Windows SMB Client that revives NTLM reflection techniques
thought to be mitigated โ€” letting an attacker coerce a host into reflecting a high-privilege auth
context back at itself and elevate to `NT AUTHORITY\SYSTEM`.

๐Ÿ“„ Full writeup: https://sentinelaidefense.com/posts/cve-2025-33073-smb-reflection.html

---

## Overview

CVE-2025-33073 is an improper access control vulnerability (CWE-284) in the Windows SMB Client. It
allows an authenticated attacker to elevate privileges to `NT AUTHORITY\SYSTEM` over a network by
abusing flaws in how the client handles coerced authentication and target name validation
(particularly with marshaled DNS records and NTLM reflection).

The issue effectively revives certain NTLM reflection techniques that were previously considered
mitigated. It was patched by Microsoft in the **June 2025** security updates and later added to the
CISA KEV catalog due to confirmed active exploitation.

## Affected Versions

Affects multiple Windows client and server editions, including:

- Windows 10
- Windows 11 (up to 24H2)
- Windows Server 2016โ€“2025 (various builds)

The vulnerability requires the target to be domain-joined or in an environment where SMB signing is
not enforced on the client side. Patches are available via the June 2025 Patch Tuesday.

## Technical Breakdown (Root Cause)

The root cause lies in the SMB client's (`mrxsmb.sys`) handling of authentication context
initialization and target name validation during coerced SMB connections.

When an attacker coerces a victim machine (e.g., via UNC path, LLMNR/NBNS poisoning, or tools like
PetitPotam) to connect to a malicious SMB server, the client performs NTLM/Kerberos authentication.
Due to improper validation of marshaled target information in DNS records, the client can be tricked
into treating the remote connection as a local one. This leads to reflection of the authentication
context (including high-privilege tokens such as from `lsass.exe` running as SYSTEM) back to the local
system.

The flaw bypasses previous NTLM reflection mitigations when SMB signing is not enforced. Researchers
described it as enabling authenticated remote code execution as SYSTEM in many practical scenarios.

## Attack Chain

1. Attacker coerces the victim host (often `lsass.exe` or another high-priv process) to initiate an
   SMB connection to attacker-controlled infrastructure (e.g., via malicious link, WebDAV, or name
   resolution poisoning).
2. Malicious SMB server manipulates the authentication flow and target name.
3. The Windows SMB client reflects the authentication (NTLM or Kerberos ticket) in a way that allows
   local impersonation.
4. Attacker achieves SYSTEM-level privileges on the target, enabling credential dumping, lateral
   movement, or further compromise.

Exploitation often combines with existing tools for coercion and relay. Public PoCs appeared after the
patch, with active exploitation confirmed later in 2025.

## Detection Guidance

- Monitor for unusual SMB client connections (especially coerced ones) to external or suspicious
  hosts.
- Look for anomalous NTLM authentication attempts, reflection patterns, or use of marshaled target
  information in DNS/SMB traffic.
- Detect processes (e.g., `lsass`) initiating outbound SMB connections unexpectedly.
- Endpoint detection for privilege escalation indicators following SMB activity.
- Network signatures for known coercion techniques (PetitPotam-like) combined with SMBv1/v2/v3 traffic
  lacking signing.

Enforcing SMB signing significantly raises the bar for exploitation.

## Indicators of Compromise

- Malicious UNC paths or links triggering SMB connections.
- DNS records with specific marshaled target information used in reflection attacks.
- Command lines or scripts associated with coercion tools (e.g., variants of PetitPotam).
- Post-exploitation indicators: SAM hive dumps, SYSTEM-level process creation shortly after SMB
  activity.

Consult Microsoft advisories and CISA KEV for updated hashes and network indicators.

## Mitigation

- Apply the **June 2025** Windows security updates immediately.
- **Enforce SMB signing** on both client and server sides across the environment
  (Group Policy: *"Microsoft network client/server: Digitally sign communications (always)"*).
- Disable or restrict unnecessary name resolution protocols (LLMNR, NBT-NS) and implement mitigations
  like WPAD protection.
- Limit exposure of high-privilege processes to coerced authentication.
- Use network segmentation and monitor for SMB traffic anomalies.
- Consider application control and Credential Guard features where applicable.

This vulnerability highlights the ongoing risks in environments without strict SMB signing policies.

## References

- Microsoft MSRC advisory for CVE-2025-33073
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-33073
- CISA Known Exploited Vulnerabilities Catalog

## Disclaimer

This repository is published for **defensive and educational purposes only**. It contains analysis,
detection logic, and mitigation guidance. No functional exploit code is provided. Use this
information only on systems you are authorized to test and defend.

---

Maintained by Sentinel AI Defense ยท
Findings shared responsibly under coordinated disclosure.