CVE-2025-33073: A New Technique for Reflective NTLM Relay Attack
Executive Summary
On 10 June 2025, Microsoft released a total of 66 different vulnerabilities 2 being zero-day ones and patches to mitigate these vulnerabilities. One of the zero-day vulnerabilities is called CVE-2025-33073 Windows SMB Client Elevation of Privilege Vulnerability and allows an unauthorized user to execute remote commands and privilege escalation in Active Directory Environment.
Introduction
Vulnerability id CVE-2025-33073 is released by security researchers and allows the misuse of default DNS permissions in Active Directory infrastructure to gain control of the entire system.
Every user in Active Directory environment has the privilege of creating new A entries in AD-integrated DNS service.
By using this vulnerability, the attacker adds a special DNS entry. This DNS entry looks like a victim computer but contains the attacker’s IP address.
Subsequently, the attacker can trigger a coercion attack (such as MS-RPRN/PrinterBug, MS-EFSR/PetitPotam, or MS-DFSNM/DFSCoerce) to force the target server to perform an NTLM authentication to the computer that is compromised by attacker’s DNS entry.
If SMB Signing is not enforced on the server, the attacker can perform an NTLM reflection attack by reflecting the authentication session back to the same machine. This grants the attacker NT AUTHORITYSYSTEM privileges. With SYSTEM-level access, the attacker can gain password hashes from SAM or LSASS, execute commands and compromise the server and potentially the entire AD domain
With this vulnerability’s NTLM relay attack, the attacker reflects the authentication session back to the same machine. This attack vector can be implemented with any computer in the Active Directory environment therefore, the attacker can gain full privilege in the target domain.
With the 10 June 2025 patch, Microsoft patched this vulnerability. But in Active directory environments following precautions must be taken for extra protection.
● SBM Signing feature set to “Required”
● Eliminating coercion vulnerabilities such as MS-RPRN/PrinterBug, PetitPotam or DFSCoerce
● Removing DNS entry privileges for unauthorised users or groups like “Authenticated Users”