CVE-2025-33073

What is Windows SMB Client Authentication Coercion?

Server Message Block (SMB) is the Windows file-sharing and authentication protocol. Windows systems automatically authenticate to SMB servers they connect to, presenting their NTLM hash or Kerberos ticket. Attackers can exploit this behavior to coerce a victim machine into initiating an SMB connection to an attacker-controlled server — capturing the NTLM hash for relay attacks or offline cracking. This class of attack (SMB coercion/relay) has been used for decades and remains relevant because Windows automatically handles SMB authentication without user confirmation.

Overview

CVE-2025-33073 is an improper access control (CWE-284) vulnerability in the Windows SMB Client that allows an attacker with low-level network access to coerce a victim machine into connecting to an attacker-controlled SMB server. The coercion is triggered by executing a specially crafted malicious script — once a low-privilege attacker can run code on the victim's machine or interact with it via network, they can trigger the SMB authentication to relay or capture the victim's credentials, enabling privilege escalation.

Affected Versions

Technical Details

The vulnerability is an improper access control (CWE-284) in the Windows SMB Client that allows an attacker-controlled script to trigger SMB authentication against an attacker-specified server. The "script" referenced can be a PowerShell script, batch file, or Office macro that a low-privilege user executes or is tricked into executing.

When the victim machine connects to the attacker's SMB server, it automatically authenticates using NTLM (or Kerberos if applicable). The attacker captures the NTLM hash and either:

• Relays it in real-time to another service (SMB relay, LDAP relay) to authenticate as the victim user
• Cracks it offline to recover the plaintext password

SMB relay is particularly effective if SMB signing is not enforced on target servers, and NTLM hash relay to LDAP can enable domain account enumeration or modification.

Discovery

Patched in June 2025 Patch Tuesday; active exploitation confirmed per CISA KEV addition in October 2025.

Exploitation Context

CISA added this to the KEV catalog on October 20, 2025 — four months after the patch, confirming ongoing exploitation in the wild against unpatched systems. SMB coercion techniques (Responder, PetitPotam, PrinterBug, etc.) are standard tools in red team and ransomware pre-deployment lateral movement phases. No specific threat actor was named.

Remediation

1. Apply the June 2025 cumulative update for your Windows version. The CISA deadline was November 10, 2025.
2. Enforce SMB signing on all domain controllers and member servers — this prevents NTLM relay even if coercion is successful.
3. Block outbound SMB (TCP 445) to the internet at the perimeter firewall — victim machines should not be able to connect to external SMB servers.
4. Disable NTLM authentication where Kerberos is available, or restrict NTLM using Group Policy (Network Security: Restrict NTLM).
5. Monitor for NTLM authentication events from unexpected source machines to internal servers (Event ID 4624 Type 3 NTLM logons from unusual sources).