CyberSecurity news
FlagThis
@blog.redteam-pentesting.de
//
A new Kerberos relay attack, identified as CVE-2025-33073, has been discovered that bypasses NTLM protections and allows attackers to escalate privileges to NT AUTHORITY\SYSTEM. This reflective Kerberos relay attack involves coercing a host to authenticate, intercepting the Kerberos ticket, and relaying it back to the same host, effectively exploiting misconfigurations and the lack of enforced SMB signing. RedTeam Pentesting discovered the vulnerability in January 2025 and disclosed it to Microsoft in an extensive whitepaper.
Microsoft addressed this vulnerability as part of the June 2025 Patch Tuesday. Technical analyses of CVE-2025-33073 have been published by RedTeam Pentesting and Synacktiv. The vulnerability is rooted in how the SMB client negotiates Kerberos authentication. When the SMB client has negotiated Kerberos instead of NTLM, a session key is inserted into a global list, KerbSKeyList, without proper checks, allowing attackers to reuse a subkey under specific conditions to forge a privileged token.
The attack begins with authentication coercion via SMB, tricking a victim machine into connecting to a malicious SMB server. The server forces the client into Kerberos authentication, generates a subkey, logs it into KerbSKeyList with privileged token data, and forges a valid AP-REQ ticket using the subkey. The SMB client accepts and validates the forged ticket, leading to the generation of a SYSTEM token and granting administrative privileges. A proof-of-concept exploit has been made available to demonstrate the vulnerability's potential.
ImgSrc: blog.redteam-pe
References :
Microsoft addressed this vulnerability as part of the June 2025 Patch Tuesday. Technical analyses of CVE-2025-33073 have been published by RedTeam Pentesting and Synacktiv. The vulnerability is rooted in how the SMB client negotiates Kerberos authentication. When the SMB client has negotiated Kerberos instead of NTLM, a session key is inserted into a global list, KerbSKeyList, without proper checks, allowing attackers to reuse a subkey under specific conditions to forge a privileged token.
The attack begins with authentication coercion via SMB, tricking a victim machine into connecting to a malicious SMB server. The server forces the client into Kerberos authentication, generates a subkey, logs it into KerbSKeyList with privileged token data, and forges a valid AP-REQ ticket using the subkey. The SMB client accepts and validates the forged ticket, leading to the generation of a SYSTEM token and granting administrative privileges. A proof-of-concept exploit has been made available to demonstrate the vulnerability's potential.
ImgSrc: blog.redteam-pe
Share:
References :
- bsky.app: RedTeam Pentesting and Synacktiv have published technical analyses of CVE-2025-33073, a new way to execute NTLM reflection attacks. This was fixed in this month's Patch Tuesday and also works against Kerberos.
- Catalin Cimpanu: RedTeam Pentesting and Synacktiv have published technical analyses of CVE-2025-33073, a new way to execute NTLM reflection attacks. This was fixed in this month's Patch Tuesday and also works against Kerberos.
- securityonline.info: Windows SMB Flaw (CVE-2025-33073): SYSTEM Privilege Escalation via Kerberos, PoC Available
- blog.redteam-pentesting.de: Reflective Kerberos Relay Attack
- www.synacktiv.com: NTLM reflection is dead, long live NTLM reflection: An in-depth analysis of CVE-2025
- Daily CyberSecurity: Windows SMB Flaw (CVE-2025-33073): SYSTEM Privilege Escalation via Kerberos, PoC Available
- infosecwriteups.com: Reflective Kerberos Relay Attack (CVE-2025-33073): NT AUTHORITY\SYSTEM Privilege Escalation
Classification:
- HashTags: #Kerberos #PrivilegeEscalation #NTLM
- Company: Microsoft
- Target: Windows hosts in Active Directory environments
- Attacker: RedTeam Pentesting
- Product: Windows
- Feature: Kerberos Authentication
- Malware: CVE-2025-33073
- Type: Vulnerability
- Severity: Major