In June 2025, Microsoft addressed **CVE-2025-33073**, a critical **SMB (Server Message Block) vulnerability** affecting older versions of **Windows 10, Windows 11, and Windows Server**. The flaw, stemming from **improper access controls**, allows attackers to execute a **malicious script** that coerces a victim’s machine to authenticate with an attacker-controlled system via SMB, potentially granting **system-level privileges**.The vulnerability was added to **CISA’s Known Exploited Vulnerabilities (KEV) list** in October 2025, confirming active exploitation. While Microsoft released a patch in June, unpatched systems remain at risk. The bug’s **CVSS score of 8.8** underscores its severity, as successful exploitation could lead to **unauthorized access, lateral movement within networks, or full system compromise**.Mitigations include **applying the June 2025 Patch Tuesday update**, monitoring for **unusual outbound SMB traffic**, and **restricting SMB exposure to trusted networks**. Researchers from **Google’s Project Zero, CrowdStrike, and Vicarius** contributed to its discovery, with Vicarius providing a **detection script** to assess vulnerability status and SMB signing configuration.Failure to patch exposes organizations to **privilege escalation, data breaches, or network infiltration**, though no confirmed large-scale breaches have been reported yet. The risk is heightened for enterprises relying on **legacy Windows systems** or those with **unrestricted SMB protocols**.
TPRM report: https://www.rankiteo.com/company/microsoft
"id": "mic2692126102225",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "6/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Users of unpatched Windows '
'10/11 and Windows Server '
'systems',
'industry': 'Technology',
'location': 'Redmond, Washington, USA',
'name': 'Microsoft',
'size': 'Large (Global)',
'type': 'Corporation'}],
'attack_vector': ['Network', 'SMB Protocol Abuse', 'Script-Based Coercion'],
'customer_advisories': 'Users advised to patch systems and restrict SMB '
'exposure.',
'date_publicly_disclosed': '2025-10-20',
'date_resolved': '2025-06-00',
'description': 'Microsoft acknowledged a vulnerability (CVE-2025-33073, CVSS '
'score 8.8) in older versions of Windows 10, Windows 11, and '
'Windows Server related to improper access controls in SMB '
'(Server Message Block). The flaw allows attackers to execute '
'a crafted malicious script, coercing victim machines to '
'authenticate via SMB, potentially granting system-level '
"privileges. The vulnerability was added to CISA's KEV list on "
'October 20, 2025, with evidence of active exploitation. '
"Microsoft released a fix in June 2025's Patch Tuesday update. "
'Users are advised to apply updates, monitor outbound SMB '
'traffic, and restrict SMB exposure to trusted networks.',
'impact': {'brand_reputation_impact': 'Moderate (associated with unpatched '
'systems and active exploitation)',
'operational_impact': 'Potential system-level privilege '
'escalation; unauthorized access to shared '
'files/printers',
'systems_affected': ['Windows 10 (older versions)',
'Windows 11 (older versions)',
'Windows Server (older versions)']},
'initial_access_broker': {'entry_point': 'SMB protocol (via script coercion)'},
'investigation_status': 'Ongoing (evidence of exploitation confirmed; no '
'attribution)',
'lessons_learned': 'Proactive patch management is critical to mitigate known '
'exploited vulnerabilities. Restricting protocol exposure '
'(e.g., SMB) and monitoring anomalous traffic can reduce '
'attack surfaces.',
'post_incident_analysis': {'corrective_actions': ['Microsoft patch release',
'CISA KEV listing for '
'visibility',
'Public detection tools '
'(Vicarius)'],
'root_causes': ['Improper access controls in SMB '
'implementation',
'Delayed patch application by '
'end-users']},
'recommendations': ['Immediately apply June 2025 Patch Tuesday updates (or '
'later) for Windows systems.',
'Enable SMB signing to prevent relay attacks.',
'Restrict SMB to trusted networks only (e.g., via '
'firewall rules).',
'Monitor outbound SMB traffic for signs of coercion '
'attempts.',
'Use detection scripts (e.g., Vicarius) to identify '
'vulnerable systems.',
'Follow CISA KEV catalog for prioritized patching '
'guidance.'],
'references': [{'source': 'TechRadar', 'url': 'https://www.techradar.com'},
{'date_accessed': '2025-10-20',
'source': 'CISA KEV Catalog',
'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog'},
{'source': 'Vicarius Detection Script'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV Catalog '
'(added 2025-10-20)']},
'response': {'communication_strategy': ['CISA KEV listing',
'TechRadar advisory',
'Vicarius detection script'],
'containment_measures': ['Patch deployment (June 2025 Patch '
'Tuesday)',
'SMB traffic monitoring'],
'enhanced_monitoring': 'Monitor outbound SMB traffic',
'incident_response_plan_activated': 'Yes (Microsoft patch '
'release)',
'network_segmentation': 'Recommended (restrict SMB exposure)',
'remediation_measures': ['Apply security updates',
'Enable SMB signing',
'Restrict SMB to trusted networks'],
'third_party_assistance': ['CrowdStrike',
'Google Project Zero',
'Vicarius (detection script)']},
'stakeholder_advisories': ['CISA KEV notification',
'Microsoft security update guidance'],
'title': 'CVE-2025-33073: Windows SMB Vulnerability Exploited in the Wild',
'type': ['Vulnerability Exploitation',
'Privilege Escalation',
'Remote Code Execution'],
'vulnerability_exploited': 'CVE-2025-33073 (Improper Access Control in SMB)'}