Full Report
CISA says threat actors are now actively exploiting a high-severity Windows SMB privilege escalation vulnerability that can let them gain SYSTEM privileges on unpatched systems. [...]
Analysis Summary
# Vulnerability: Windows SMB Privilege Escalation Vulnerability Under Active Exploitation
## CVE Details
- CVE ID: CVE-2025-33073
- CVSS Score: Not explicitly mentioned, but described as **High-severity**
- CWE: Improper Access Control (Implied)
## Affected Systems
- Products: Windows Server, Windows 10, Windows 11
- Versions: All Windows Server versions, Windows 10 versions, and Windows 11 systems up to Windows 11 24H2.
- Configurations: Any unpatched system running the affected versions.
## Vulnerability Description
This is a high-severity vulnerability residing within the Windows Server Message Block (SMB) protocol. It stems from an improper access control weakness. An attacker can exploit this flaw by coercing a victim machine to connect back to an attacker-controlled SMB malicious server. Upon connection, the server can execute a specially crafted malicious script, leading to **Elevation of Privilege (EoP) to the SYSTEM account** over the network.
## Exploitation
- Status: **Actively exploited in the wild** (Confirmed by CISA)
- Complexity: Not explicitly stated, but network-based EoP attacks often range from Medium to High based on prerequisites.
- Attack Vector: **Network** (Requires the victim to connect to an attacker-controlled SMB server).
## Impact
- Confidentiality: [Not specified, but likely High due to SYSTEM access]
- Integrity: [Not specified, but likely High due to SYSTEM access]
- Availability: [Not specified, but likely High due to SYSTEM access]
## Remediation
### Patches
- Microsoft released a patch for CVE-2025-33073 during the **June 2025 Patch Tuesday**.
- Immediate application of all relevant security updates is required.
### Workarounds
- No specific technical workarounds were detailed in this summary, beyond applying the patch.
## Detection
- **Indicators of Compromise:** Focus on network connections initiated by vulnerable systems to untrusted or external SMB servers, particularly preceding system compromise events.
- **Detection Methods and Tools:** Monitor network traffic targeting SMB protocols for anomalous connections seeking authentication against suspicious endpoints. Refer to vendor advisories for specific IoCs if released.
## References
- Vendor Advisory: msrcl.microsoft.com/update-guide/en-US/advisory/CVE-2025-33073
- CISA KEV Catalog Update: cisa.gov/news-events/alerts/2025/10/20/cisa-adds-five-known-exploited-vulnerabilities-catalog
- Microsoft Patch Overview: bleepingcomputer.com/news/microsoft/microsoft-june-2025-patch-tuesday-fixes-exploited-zero-day-66-flaws/