[German]On June 10, 2025, Microsoft also patched the vulnerability CVE-2025-33073 with the security updates for Windows. This is a vulnerability in the Kerberos network protocol that was discovered by RedTeam Pentesting in January 2025. Below I disclose some information about the vulnerability that I received in advance from the discoverers. There are also notes for Windows administrators on what is relevant.
Reflective Kerberos Relay Attack
Windows uses various network protocols whose vulnerabilities can be used for attacks. NTLM relay attacks via vulnerabilities were and still are a classic. In the past, Microsoft has fixed a number of NTLM protocol vulnerabilities (see e.g. Microsoft has fixed the (PetitPotam) NTLM Relay Vulnerability (CVE-2022-26925) with Windows May 2022 Update).
There is also a support article KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS), which explains how administrators can protect their Active Directory (AD) against NTML relay attacks. Since 2008, it has also no longer been possible to return NTLM messages (reflective) to the initiating host (see MS08-068).
At the beginning of 2025, security researchers from Redteam Pentesting GmbH wondered whether such an attack on the Windows Kerberos protocol might be feasible. The team then discovered the vulnerability CVE-2025-33073 in the Kerberos network protocol implementation of Windows.
There are approaches that make it possible for network participants in a domain to force every Windows host to authenticate itself via SMB (through vulnerabilities, as described by the security researchers in this article). The Kerberos ticket issued by the host for the computer account can then be sent back to the Windows host. In this way, the requesting instance not only bypasses all NTLM restrictions that Microsoft has now implemented in Windows. The instance in question also receives NT AUTHORITY\SYSTEM authorizations and thus the possibility of Remote Code Execution (RCE).
Reflective Kerberos relay attack in Windows; Source: Redteam Pentesting GmbH
The figure above illustrates the process: The attacker's computer, which must have access to the Windows network as a domain member, requests a Kerberos ticket for authentication via Remote Procedure Call (RPC). The attacker attempts to trick the Windows host via RPC Coercion.
With RPC Coercion, the attacker uses an RPC call that is accepted by the Windows host due to a security vulnerability.
In the case of the discovered vulnerability CVE-2025-33073 (Windows SMB Client Elevation of Privilege Vulnerability), the RPC Coercion call forces the Windows host to respond via SMB connection and transmit the Kerberos ticket for authentication. The attacker then mirrors this Kerberos ticket back to the host via krbrelayx.py and thus obtains the system privileges mentioned above. Privilege escalation therefore takes place for the account used, although the attacker's computer must be a member of the domain.
krbrelayx is a toolkit with programs 'for abusing' the Kerberos protocol, which also contains the Python program mentioned above. Kerberos relaying via SMB using krbrelayx is described, for example, in the article Relaying Kerberos over SMB using krbrelayx.
Details on the vulnerability CVE-2025-33073
The security researchers describe the details of this attack in a white paper Reflective Kerberos Relay Attack. This white paper should be linked as a PDF under Reflective Kerberos Relay Attack at the time of publication of my blog post.
Timeline from the discovery to the elimination of CVE-2025-33073
The vulnerability was discovered by security researchers from RedTeam Pentesting GmbH on January 30, 2025 and reported to Microsoft to the MSRC on March 7, 2025. On March 31, 2025, Microsoft confirmed this vulnerability as "important" and later reserved the identifier CVE-2025-33073. The discoverers were awarded a bug bounty of 5,000 US dollars.
In CVE-2025-33073 you can read, that obviously five security teams discovered independently the vulnerability that is quoted as important.
Microsoft released a fix to close the vulnerability with the regular Windows security updates on Tuesday, June 10, 2025. The disclosure of the details was released by Microsoft on June 10, 2025. After a phone call with me on June 4, 2025, RedTeam Pentesting GmbH decided to disclose on Wednesday, June 11, 2025 after an internal discussion. My thanks to the team for involving me in this release in advance.
Security advice for Windows administrators
For administrators in corporate environments (private users are not affected), the in-depth details of the vulnerability or exploit are not so interesting. They are primarily interested in which systems are affected, what impact the vulnerability has and how it can be eliminated. I will try to extract the most important aspects below.
First preliminary information from DFN-CERT
As early as Friday, June 6, 2025, DFN-CERT issued a notification of a vulnerability CVE-2025-33073 (classified as important, CVSS 8.8) in Microsoft Windows. There was also information that this vulnerability will be closed by Microsoft on Tuesday, June 10, 2025, as part of monthly patchdays through Windows updates. I've mentioned that within the blog post Attention: June 2025 Patchday closes vulnerability CVE-2025-33073 in Windows
Action should be taken quickly
RedTeam Pentesting GmbH also estimates that an experienced attacker can analyze the patch in a few hours using reverse engineering, and that exploits can be developed quickly or are even already available. Administrators in Windows environments should therefore not wait too long before patching.
Complete Security Advisory
If this blog post is public, the full security advisory RT-SA-2025-002 from RedTeam Pentesting GmbH should be available. The short version is: RedTeam Pentesting has developed a reflective Kerberos relay attack that allows Active Directory domain users with low privileges to gain NT AUTHORITY\SYSTEM privileges on domain-joined Windows machines.
CVE-2025-33073 affects all Windows hosts that are members of a domain and do not require SMB signing of incoming connections. In the standard configuration, this includes all Windows 10 versions up to 22H2 for clients, as well as all Windows 11 versions up to 23H2. Furthermore, all Windows Server versions up to Windows Server 2025 (24H2) are affected, unless they are domain controllers.
Mitigation via SMB signing possible
As already mentioned, administrators should promptly install the security updates provided by Microsoft for Windows on June 10, 2025 in order to close the vulnerability. It is also possible to mitigate the vulnerability by enforcing server-side SMB signing for Windows clients and servers (if it is not possible to patch immediately). This can be done via group policies, which are described in the Microsoft support article Overview of Server Message Block signing. However, some outdated systems/applications do not support SMB signing, so this may not be an option.
Similar articles:
Microsoft Security Update Summary (June 10, 2025)
Patchday: Windows 10/11 Updates (June 10, 2025)
Patchday: Windows Server-Updates (June 10, 2025)
Windows 10/11: Preview Updates May 27, 28,2025
Attention: June 2025 Patchday closes vulnerability CVE-2025-33073 in Windows
