The United States’ Cybersecurity and Infrastructure Security Agency (CISA) has raised a significant alert regarding a critical security vulnerability within the Windows SMB protocol. This flaw, identified as CVE-2025-33073, poses a serious threat as it enables attackers to escalate their privileges to SYSTEM level, the highest tier of access within Windows environments.
All Windows versions affected
Every version of Windows Server, along with Windows 10 and Windows 11 systems up to and including version 24H2, is vulnerable. Microsoft had proactively addressed this security issue in June 2025 during its routine Patch Tuesday updates, providing essential technical details about the vulnerability at that time.
The core of the problem lies in inadequate access control, which allows authenticated attackers to elevate their privileges across the network. The exploitation method requires that a victim be deceived into connecting to a server under the attacker’s control.
How the attack works
Microsoft elaborates in a security advisory that “an attacker could entice a victim to connect to a malicious application controlled by the attacker, such as an SMB server.” During the establishment of this connection, the malicious server could compromise the protocol.
In practical terms, an attacker can deploy a specially crafted script designed to compel the victim’s system to connect to the attacker’s system and authenticate via SMB. This sequence of actions ultimately leads to privilege escalation on the compromised system.
Information already public before patch
It is noteworthy that information regarding this vulnerability was publicly available at the time the patch was issued. However, Microsoft has yet to officially confirm the active exploitation of CVE-2025-33073, although CISA is operating under the assumption that such attacks are indeed underway.
The discovery of this vulnerability is attributed to a collaborative effort among several security researchers, including Keisuke Hirata from CrowdStrike, Wilfried Bécard from Synacktiv, Stefan Walter from SySS GmbH, James Forshaw from Google Project Zero, and RedTeam Pentesting GmbH.
Federal agencies must patch by November 10
CISA has now included CVE-2025-33073 in its catalog of known exploited vulnerabilities, mandating that U.S. federal agencies secure their systems by November 10. While this directive specifically targets federal entities, CISA strongly encourages private sector companies and organizations to address this security gap promptly.
“Such vulnerabilities are frequently used as attack vectors by malicious cyber actors and pose significant risks,” CISA cautioned on Monday. The agency has not yet disclosed details regarding specific attacks related to this vulnerability.
Organizations affected by this vulnerability should prioritize the installation of the security updates released by Microsoft in June 2025, if they have not already taken this critical step.
