On October 20, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high-severity Windows SMB vulnerability (tracked as CVE-2025-33073) to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation.
Microsoft released a patch for the issue in June 2025, but because attackers are using the flaw in real incidents, organizations that haven’t updated or hardened SMB settings remain at risk.
The vulnerability, rated with a CVSS score of around 8.8, affects the Windows SMB client. It stems from improper access control, allowing attackers to trigger unauthorized SMB connections to servers they control. Once established, those connections can be abused to relay or reflect authentication data, a technique that can lead to privilege escalation if SMB signing is not enforced.
By adding CVE-2025-33073 to its KEV list, CISA confirmed that the flaw is being used in the wild. Federal agencies are required to apply Microsoft’s patch or otherwise mitigate the issue by November 10, 2025. The agency also urged private organizations to treat the deadline as a critical benchmark, warning that the exploitation activity poses an ongoing risk to unpatched Windows systems.
Security researchers describe the exploitation pattern as a form of credential relay, in which attackers coerce a vulnerable Windows machine into authenticating against a malicious SMB server.
The technique can expose administrative credentials or system-level access, depending on the target’s network configuration.
Administrators are advised to confirm that the June 2025 cumulative update has been installed across all Windows clients and servers, enforce SMB signing on both ends, and block SMB traffic to untrusted networks.
Monitoring for unusual SMB activity (especially unsigned connections or unexpected access to administrative shares) can also help detect potential compromise.
CISA’s advisory shows a familiar pattern: vulnerabilities patched months earlier often resurface once attackers find practical ways to exploit them. The agency’s public confirmation that CVE-2025-33073 is under active attack signals that time for optional patching has passed, remediation is now a matter of urgency.
Discover more from Aree Blog
Subscribe now to keep reading and get access to the full archive.
