Microsoft: PoC Released for NTLM reflection bypass Vulnerability that Emanbles SYSTEM Access on Windows Server

Microsoft: PoC Released for NTLM reflection bypass Vulnerability that Emanbles SYSTEM Access on Windows Server

New PoC Exploit Bypasses Microsoft’s Patch for NTLM Reflection Vulnerability (CVE-2025-33073)

Security researchers at Synacktiv have released a proof-of-concept (PoC) exploit that circumvents Microsoft’s mitigation for CVE-2025-33073, a critical NTLM reflection vulnerability enabling local privilege escalation to NT AUTHORITY\SYSTEM on Windows Server. The exploit leverages unaddressed weaknesses in Microsoft’s original patch, which only secured the SMB client path while leaving other protocols and SMB-specific features exposed.

The vulnerability originally allowed attackers to manipulate DNS records or target names by appending base64-encoded "additional target information," tricking the Local Security Authority Subsystem Service (LSASS) into authenticating to an attacker-controlled server. The attacker could then relay the captured NTLM or Kerberos credentials back to the target, gaining SYSTEM-level access.

The new PoC exploits a default Windows feature allowing SMB clients to connect to shares via arbitrary TCP ports. The attack unfolds in two stages:

  1. The attacker sets up a local SMB server on a nonstandard port and mounts a share from the target machine, establishing a persistent TCP connection.
  2. A privileged service (e.g., LSASS) is coerced into accessing the same UNC path, reusing the existing connection. The attacker captures the authentication blobs and relays them to the target’s legitimate SMB service, achieving SYSTEM privileges.

The exploit requires no user interaction and affects Windows Server 2025 in default configurations. Windows 11 24H2 is less vulnerable due to enforced SMB signing. Tools used in the PoC include modified versions of Impacket’s smbserver.py, ntlmrelayx, and PetitPotam.

Microsoft’s incomplete patch highlights broader risks: securing a single protocol (mrxsmb.sys) without addressing authentication coercion or SMB multiplexing leaves residual attack surfaces. Default features like arbitrary SMB ports and connection reuse intended for convenience can facilitate reflection and relay attacks when combined with service-forcing techniques.

Microsoft has issued guidance and additional patches, urging administrators to enforce SMB signing, disable unnecessary services (e.g., WebClient/WebDAV), restrict Active Directory DNS record creation, and apply strict outbound connection controls for privileged services. Unpatched Windows Server 2025 systems remain at elevated risk.

Source: https://gbhackers.com/poc-released-for-ntlm-reflection/

Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center

"id": "MIC1782822251",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users of Windows Server 2025 '
                                              'and Windows 11 24H2',
                        'industry': 'Software / IT Services',
                        'location': 'Global',
                        'name': 'Microsoft',
                        'size': 'Enterprise',
                        'type': 'Technology Vendor'}],
 'attack_vector': 'NTLM Reflection / SMB Relay',
 'description': 'Security researchers at Synacktiv have released a '
                'proof-of-concept (PoC) exploit that circumvents Microsoft’s '
                'mitigation for CVE-2025-33073, a critical NTLM reflection '
                'vulnerability enabling local privilege escalation to NT '
                'AUTHORITY\\SYSTEM on Windows Server. The exploit leverages '
                'unaddressed weaknesses in Microsoft’s original patch, which '
                'only secured the SMB client path while leaving other '
                'protocols and SMB-specific features exposed. The '
                'vulnerability allowed attackers to manipulate DNS records or '
                "target names by appending base64-encoded 'additional target "
                "information,' tricking LSASS into authenticating to an "
                'attacker-controlled server. The new PoC exploits a default '
                'Windows feature allowing SMB clients to connect to shares via '
                'arbitrary TCP ports, achieving SYSTEM privileges without user '
                'interaction.',
 'impact': {'operational_impact': 'Local privilege escalation to NT '
                                  'AUTHORITY\\SYSTEM',
            'systems_affected': 'Windows Server 2025 (default configurations), '
                                'Windows 11 24H2 (less vulnerable)'},
 'lessons_learned': 'Microsoft’s incomplete patch highlights risks of securing '
                    'a single protocol without addressing authentication '
                    'coercion or SMB multiplexing. Default features like '
                    'arbitrary SMB ports and connection reuse can facilitate '
                    'reflection and relay attacks when combined with '
                    'service-forcing techniques.',
 'motivation': 'Security Research / Proof of Concept',
 'post_incident_analysis': {'corrective_actions': 'Apply additional patches, '
                                                  'enforce SMB signing, '
                                                  'disable unnecessary '
                                                  'services, and implement '
                                                  'strict outbound connection '
                                                  'controls.',
                            'root_causes': 'Unaddressed weaknesses in '
                                           'Microsoft’s original patch for '
                                           'CVE-2025-33073, including '
                                           'incomplete protocol coverage and '
                                           'reliance on default SMB features '
                                           '(e.g., arbitrary TCP ports, '
                                           'connection reuse).'},
 'recommendations': 'Enforce SMB signing, disable unnecessary services (e.g., '
                    'WebClient/WebDAV), restrict Active Directory DNS record '
                    'creation, and apply strict outbound connection controls '
                    'for privileged services.',
 'references': [{'source': 'Synacktiv Research'}],
 'response': {'containment_measures': 'Enforce SMB signing, disable '
                                      'unnecessary services (e.g., '
                                      'WebClient/WebDAV), restrict Active '
                                      'Directory DNS record creation, apply '
                                      'strict outbound connection controls for '
                                      'privileged services',
              'remediation_measures': 'Microsoft issued additional patches and '
                                      'guidance'},
 'threat_actor': 'Synacktiv (Researchers)',
 'title': 'New PoC Exploit Bypasses Microsoft’s Patch for NTLM Reflection '
          'Vulnerability (CVE-2025-33073)',
 'type': 'Privilege Escalation',
 'vulnerability_exploited': 'CVE-2025-33073'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.