CVE-2025-33073

HIGH KEV

Windows SMB - Authenticated Privilege Escalation via Improper Access Control

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-33073 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 20, 2025. EIP tracks 12 public exploits from researchers including Mohammed Idrees Banyamer, mverschu, uziii2208.

AI-analyzed exploit summary This PoC exploits CVE-2025-33073 by combining DNS record injection, NTLM relay attacks, and RPC coercion to achieve privilege escalation and remote code execution on Windows systems. It requires an authenticated domain user and leverages tools like samba-tool and impacket-ntlmrelayx.

Description

Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.

Exploits (12)

exploitdb WORKING POC
by Mohammed Idrees Banyamer · pythonremotewindows
https://www.exploit-db.com/exploits/52330

This PoC exploits CVE-2025-33073 by combining DNS record injection, NTLM relay attacks, and RPC coercion to achieve privilege escalation and remote code execution on Windows systems. It requires an authenticated domain user and leverages tools like samba-tool and impacket-ntlmrelayx.

Classification
Working Poc 95%
Attack Type
Rce | Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 11 (22H2, 22H3, 23H2, 24H2), Windows Server 2022/2019, Windows 10 (1507-22H2)
Auth required
Prerequisites: Authenticated domain user · DNS server access · SMB signing not enforced · No Extended Protection for Authentication (EPA)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 677 stars
by mverschu · remote-auth
https://github.com/mverschu/CVE-2025-33073

This PoC exploits CVE-2025-33073 by combining DNS manipulation (dnstool.py), NTLM relay (ntlmrelayx), and coercion techniques (PetitPotam) to achieve authentication bypass and potential privilege escalation in Active Directory environments. It automates the attack chain by adding malicious DNS records, relaying NTLM authentication, and triggering coercion via SMB.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Complex
Reliability
Reliable
Target: Microsoft Active Directory (specific version not specified)
Auth required
Prerequisites: Valid domain credentials · Network access to target DC · SMB signing disabled or bypassable · DNS manipulation capability
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 65 stars
by uziii2208 · client-side
https://github.com/uziii2208/CVE-2025-33073

This repository contains a functional PoC exploit for CVE-2025-33073, targeting Windows Domain Controllers with DNSAdmins privileges and WinRM enabled. The exploit automates NTLM relay attacks combined with DNS poisoning to achieve SYSTEM-level code execution and flag extraction.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows Server 2016/2019/2022 Domain Controller
Auth required
Prerequisites: DNSAdmins group membership · WinRM service enabled · Network access to DC (SMB 445, DNS 53, WinRM 5985/5986)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github SCANNER 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-33073

The repository contains a Python script that detects NTLM reflection vulnerabilities (CVE-2025-33073) by sending crafted NTLM messages and analyzing responses. It does not exploit the vulnerability but scans for its presence.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Systems vulnerable to NTLM reflection (specific software not explicitly mentioned)
No auth needed
Prerequisites: Network access to target · Impacket library
devstral-2 · analyzed Mar 04, 2026 Full analysis →
github WORKING POC 6 stars
by SFRDevelopment · pythonlocal
https://github.com/SFRDevelopment/windows-smb-vulnerability-framework-cve-2025-33073

This repository contains a functional exploit framework for CVE-2025-33073, a Windows SMB Client Elevation of Privilege vulnerability. The framework includes Python and PowerShell implementations for exploiting improper access control mechanisms in the SMB protocol stack.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows SMB Client (Windows 10, 11, Server 2008-2025)
No auth needed
Prerequisites: Network access to target SMB service · Python 3.7+ or PowerShell environment
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 2 stars
by EgCupCake · remote-auth
https://github.com/EgCupCake/cupntlm-Automated-Exploit-For-CVE-2025-33073-

The repository contains a functional exploit tool for CVE-2025-33073, which automates an NTLM reflection/relay attack chain via DNS coercion and PetitPotam. It includes detailed usage instructions, prerequisites, and manual exploitation steps.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Active Directory environments with SMB signing disabled
Auth required
Prerequisites: SMB signing disabled on relay target · Valid low-privilege domain account · Network access to DC (LDAP/SMB)
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC 1 stars
by obscura-cert · remote-auth
https://github.com/obscura-cert/CVE-2025-33073

This PoC chains DNS injection, NTLM relay, and RPC-based coercion to test authentication relay paths in Windows Active Directory environments. It uses `samba-tool` for DNS manipulation, `impacket-ntlmrelayx` for relaying, and `rpcping` for coercion.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Windows Active Directory (DNS and RPC services)
Auth required
Prerequisites: Administrator access to DNS server · Network access to target and victim · Impacket and Samba tools installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by IyarGross · poc
https://github.com/IyarGross/SMB-CVE-2025-33073

This repository provides a detailed research document and forensic analysis of CVE-2025-33073, focusing on NTLM Reflection and Relay vulnerabilities in SMB. It includes a high-interaction honeypot setup with comprehensive logging and traffic capture mechanisms.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: Samba (SMB protocol)
No auth needed
Prerequisites: Samba server · VPS deployment · Wireshark/tshark for traffic capture
devstral-2 · analyzed Mar 12, 2026 Full analysis →
nomisec SCANNER
by pol4ir · poc
https://github.com/pol4ir/CVE-2025-33073

The repository contains a Python script that detects NTLM reflection vulnerabilities (CVE-2025-33073) by sending crafted NTLM messages and analyzing responses. It does not exploit the vulnerability but scans for its presence.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Systems vulnerable to NTLM reflection (specific version not specified)
No auth needed
Prerequisites: Network access to target · Impacket library
devstral-2 · analyzed Mar 02, 2026 Full analysis →
nomisec WORKING POC
by irjfifndn-prog · poc
https://github.com/irjfifndn-prog/Blackash-CVE-2025-33073

This PoC exploits CVE-2025-33073 by adding a malicious DNS record via LDAP, triggering NTLM relay attacks using PetitPotam/Printerbug/DFSCoerce, and executing arbitrary commands via ntlmrelayx. It chains multiple techniques to achieve remote code execution in an Active Directory environment.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Active Directory (DNS and SMB services)
Auth required
Prerequisites: Valid domain credentials · Network access to target AD environment · Impacket and nxc tools installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by cve-2025-33073 · poc
https://github.com/cve-2025-33073/cve-2025-33073

The repository contains a README.md file with no exploit code or technical details about CVE-2025-33073. It appears to be a placeholder or humorous writeup unrelated to the CVE.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by matejsmycka · poc
https://github.com/matejsmycka/CVE-2025-33073-checker

This script checks for CVE-2025-33073 by attempting NTLM reflection attacks via SMB signing checks and PetitPotam coercion. It requires valid credentials and a pre-registered domain for the attack to succeed.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Samba (specific version not specified)
Auth required
Prerequisites: Valid domain credentials · SMB signing disabled · Pre-registered domain for NTLM reflection
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.4433
EPSS Percentile 97.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-10-20
VulnCheck KEV 2025-10-09
ENISA EUVD EUVD-2025-17737
CWE
CWE-284
Status published
Products (17)
microsoft/windows_10_1507 < 10.0.10240.21034 (2 CPE variants)
microsoft/windows_10_1607 < 10.0.14393.8148 (2 CPE variants)
microsoft/windows_10_1809 < 10.0.17763.7434 (2 CPE variants)
microsoft/windows_10_21h2 < 10.0.19044.5965
microsoft/windows_10_22h2 < 10.0.19045.5965
microsoft/windows_11_22h2 < 10.0.22621.5472
microsoft/windows_11_23h2 < 10.0.22631.5472
microsoft/windows_11_24h2 < 10.0.26100.4270
microsoft/windows_server_2008 (2 CPE variants)
microsoft/windows_server_2008 r2 sp1
... and 7 more
Published Jun 10, 2025
KEV Added Oct 20, 2025
Tracked Since Feb 18, 2026