A flaw rooted in the Server Message Block (SMB) protocol of Windows enables attackers to escalate privileges to SYSTEM level on vulnerable Windows devices, potentially granting full control over affected systems.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding the active exploitation of this high-severity Windows vulnerability, tracked as CVE-2025-33073.
Details of the CVE-2025-33073 SMB Flaw
CVE-2025-33073 is a privilege escalation vulnerability found in the Windows SMB client, affecting a wide range of Microsoft operating systems, including all Windows Server versions, Windows 10, and Windows 11 up to the 24H2 update. Microsoft disclosed the flaw on June 10, 2025, as part of its Patch Tuesday updates, alongside a security bulletin describing the issue as an improper access control weakness (classified under CWE-284).
The vulnerability allows an authorized attacker to elevate privileges remotely without requiring user interaction, making it especially dangerous. Once exploited, attackers can gain SYSTEM-level privileges, effectively allowing them to take over the targeted device.
How the Exploit Works
The exploitation method involves tricking a victim’s Windows machine into connecting to a malicious SMB server controlled by the attacker. According to Microsoft, “an attacker could execute a specially crafted malicious script to coerce the victim’s machine to connect back to the attack system using SMB and authenticate.” This connection enables the attacker to exploit improper access controls within the SMB protocol, leading to elevated privileges.
In practice, this means that an attacker does not necessarily need direct access to the system but can trigger the vulnerability over the network by luring users to connect to malicious SMB servers. This method amplifies the risk of remote attacks, especially within corporate networks where SMB is widely used for file sharing and communications.
Severity and Impact
The Common Vulnerability Scoring System (CVSS) rates CVE-2025-33073 as an 8.8 (base) with a 7.9 environmental score, indicating a high level of severity. The flaw has the following characteristics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality, Integrity, Availability Impact: High
Given these factors, the vulnerability poses a direct risk to affected Windows systems.
CISA’s Response and Federal Directive
In response to reports of active exploitation, CISA has added CVE-2025-33073 to its Known Exploited Vulnerabilities Catalog. This inclusion triggers a compliance requirement for Federal Civilian Executive Branch (FCEB) agencies, mandating them to patch affected systems by November 10, 2025, as per Binding Operational Directive (BOD) 22-01. This directive aims to reduce the attack surface and protect government infrastructure from escalating cyber threats.
While Microsoft’s original advisory did not confirm active exploitation at the time of patch release, CISA’s statement indicates that threat actors have since begun leveraging this SMB flaw in real-world attacks, highlighting the urgency for organizations to apply security updates promptly.
Researchers Behind the Discovery
Microsoft credited multiple security researchers and firms with uncovering the CVE-2025-33073 vulnerability, underscoring the collaborative nature of cybersecurity discovery. Notable contributors include Keisuke Hirata, Wilfried Bécard, Stefan Walter, Daniel Isern, James Forshaw, RedTeam Pentesting GmbH, Cameron Stish, and Ahamada M’Bamb. Their combined efforts led to the timely identification and remediation of this critical Windows SMB flaw.
CVE-2025-33073 represents a cybersecurity risk for Windows users, given its ability to elevate privileges remotely via the SMB protocol. With confirmed active exploitation by threat actors, organizations, especially those running Windows Server, Windows 10, and Windows 11 systems, are strongly urged to apply Microsoft’s June 2025 patches immediately. Failure to do so could lead to unauthorized SYSTEM-level access and potentially devastating network breaches.
