Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Back to Vulnerability List

Microsoft: NTLM Reflection Against Windows SMB Client (“the One-Hop Problem”)

CVE-2025-33073 High Published
CVSS
8.8 High · Network · Low PR
EPSS
0.4924 49.2% chance of exploit in 30d
CWE
CWE-287 Improper Authentication
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Per NVD: “Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.” Per Praetorian’s blog: “By abusing how Windows handles marshaled target information in DNS records, an attacker can trick the SMB client into triggering local NTLM authentication. The result: authenticated remote code execution as SYSTEM on any domain-joined machine without `SMB signing` enforced. The only prerequisites are network access and credentials for any domain user.”

Affected Packages / Versions

  • Package: Microsoft Windows SMB Client (—)
  • Latest published version at triage time: Per NVD CPE list: many Windows client and server SKUs
  • Affected range: Windows client and server SKUs prior to Microsoft's June 2025 cumulative update (per NVD/MSRC)
  • Patched version: Microsoft June 2025 cumulative update (MSRC page is JS-rendered; reviewer to confirm specific KBs per SKU)

Impact

Per Praetorian’s blog: “The worst-case scenario is quite straightforward: an unpatched domain controller that does not enforce `SMB signing. … CVE-2025-33073 yields SYSTEM on the DC, and from there it is a short walk to DCSync and full domain compromise." Praetorian notes the attack also works against any domain-joined system without SMB signing` enforced — the “one-hop” systems.

Severity Rationale

NVD CVSS 8.8 (High): network AV, low complexity, low privileges (“credentials for any domain user”), no UI, full CIA on the targeted host. Listed in CISA’s Known Exploited Vulnerabilities Catalog.

Fix

Apply Microsoft’s June 2025 cumulative update on every domain member. Per Praetorian’s blog framing, defense in depth includes enforcing `SMB signing` and channel binding on member servers as well as domain controllers.

Disclosure timeline

  • TBDReported to vendor
  • TBDJun 2025 — Patch released (Microsoft cumulative update)
  • Mar 27, 2026Praetorian write-up published (per cve-research listing)

Fix Commit(s)

    References

    Discovered by Original disclosure: RedTeam Pentesting and Synacktiv (June 2025, per Praetorian's blog). Praetorian write-up: Rahul Saranjame. · Published April 29, 2026