Critical Windows SMB vulnerability being actively exploited in attacks

US cybersecurity agency CISA warns of active exploitation of a vulnerability in the Windows SMB protocol. Attackers can use it to gain SYSTEM-level privileges.

The United States’ Cybersecurity and Infrastructure Security Agency (CISA) is sounding the alarm: a security flaw classified as highly critical in the Windows SMB protocol is now being actively exploited in attacks. The vulnerability, tracked as CVE-2025-33073, allows attackers to escalate their privileges up to SYSTEM level—the highest privilege tier in Windows systems.

All Windows versions affected

All versions of Windows Server, Windows 10, and Windows 11 systems up to and including version 24H2 are affected. Microsoft had already patched the security vulnerability in June 2025 as part of its monthly Patch Tuesday updates, while also disclosing technical details about the flaw.

The root cause lies in faulty access control that enables authenticated attackers to elevate their privileges across the network. The attack vector requires that a victim be tricked into connecting to a server controlled by the attacker.

How the attack works

“An attacker could entice a victim to connect to a malicious application controlled by the attacker, such as an SMB server,” Microsoft explains in a security advisory. “During the connection establishment, the malicious server could compromise the protocol.”

Specifically, an attacker can use a specially crafted script to force the victim’s system to establish a connection to the attack system and authenticate via SMB. This leads to privilege escalation on the compromised system.

Information already public before patch

Information about the vulnerability was already publicly accessible at the time the patch was released. However, Microsoft has not yet officially confirmed that CVE-2025-33073 is being actively exploited—though CISA assumes active attacks are occurring.

The discovery of the vulnerability is credited to several security researchers, including Keisuke Hirata from CrowdStrike, Wilfried Bécard from Synacktiv, Stefan Walter from SySS GmbH, James Forshaw from Google Project Zero, and RedTeam Pentesting GmbH.

Federal agencies must patch by November 10

CISA has added CVE-2025-33073 to its catalog of known exploited vulnerabilities. US federal agencies now have until November 10 to secure their systems.

Although this directive formally applies only to federal agencies, CISA strongly urges private sector companies and organizations to close the security gap as quickly as possible.

“Such vulnerabilities are frequently used as attack vectors by malicious cyber actors and pose significant risks,” CISA warned on Monday. The agency has not yet published details about specific attacks.

Affected parties should immediately install the security updates released by Microsoft in June 2025, if they have not already done so.