CVE-2025-55234

HIGH

Windows 10 1507-22H2, Windows 11 22H2-24H2, Windows Server 2008 - SMB Server Relay Attack via Improper Authentication

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-55234. PoCs published by mrk336.

AI-analyzed exploit summary This is a detailed writeup discussing detection and defense strategies for CVE-2025-54918, an NTLM authentication bypass vulnerability, and references CVE-2025-55234. It includes exploit chain analysis, incident response playbooks for Azure Sentinel and Splunk, but does not contain actual exploit code.

Description

SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks. The SMB Server already supports mechanisms for hardening against relay attacks: SMB Server signing SMB Server Extended Protection for Authentication (EPA) Microsoft is releasing this CVE to provide customers with audit capabilities to help them to assess their environment and to identify any potential device or software incompatibility issues before deploying SMB Server hardening measures that protect against relay attacks. If you have not already enabled SMB Server hardening measures, we advise customers to take the following actions to be protected from these relay attacks: Assess your environment by utilizing the audit capabilities that we are exposing in the September 2025 security updates. See Support for Audit Events to deploy SMB Server Hardening—SMB Server Signing & SMB Server EPA. Adopt appropriate SMB Server hardening measures.

Exploits (2)

nomisec WRITEUP 1 stars
by mrk336 · poc
https://github.com/mrk336/Patch-the-Path-CVE-2025-55234-Detection-Defense

This is a detailed writeup discussing detection and defense strategies for CVE-2025-54918, an NTLM authentication bypass vulnerability, and references CVE-2025-55234. It includes exploit chain analysis, incident response playbooks for Azure Sentinel and Splunk, but does not contain actual exploit code.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: Windows NTLM Authentication
No auth needed
Prerequisites: Network access to target domain · Low-privileged user credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by mrk336 · poc
https://github.com/mrk336/CVE-2025-55234

The repository provides a detailed writeup and a PowerShell script demonstrating an SMB relay attack (CVE-2025-55234) for privilege escalation. The script enumerates SMB shares and simulates a relay attack but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: Microsoft SMB (Server Message Block) protocol
No auth needed
Prerequisites: Network access to target SMB server · SMB Signing not enforced · User interaction required
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.1883
EPSS Percentile 96.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-287
Status published
Products (17)
microsoft/windows_10_1507 < 10.0.10240.21128 (2 CPE variants)
microsoft/windows_10_1607 < 10.0.14393.8422 (2 CPE variants)
microsoft/windows_10_1809 < 10.0.17763.7792 (2 CPE variants)
microsoft/windows_10_21h2 < 10.0.19044.6332
microsoft/windows_10_22h2 < 10.0.19045.6332
microsoft/windows_11_22h2 < 10.0.22621.5909
microsoft/windows_11_23h2 < 10.0.22631.5909
microsoft/windows_11_24h2 < 10.0.26100.6508
microsoft/windows_server_2008 (2 CPE variants)
microsoft/windows_server_2008 r2 sp1
... and 7 more
Published Sep 09, 2025
Tracked Since Feb 18, 2026