CVE-2025-33073: NTLM Reflection Bypass in Windows SMB Client

CVE-2025-33073 is a high-impact NTLM reflection vulnerability that bypasses existing NTLM relay mitigations in Windows environments. Discovered by researchers from Synacktiv, it enables an authenticated remote attacker to achieve arbitrary command execution as SYSTEM on machines that do not enforce SMB signing. The issue lies in how Windows mishandles NTLM authentication when coerced with crafted DNS records, allowing local token reuse through NTLM local authentication or even Kerberos

Severity Level: High

Vulnerability Details

1. Affected Component: Windows SMB client (kernel driver mrxsmb.sys)

2. Type: Logical authentication flaw (local NTLM reflection bypass)

3. Trigger Condition:

• The attacker coerces a service like lsass.exe into authenticating to a listener.
• A specially crafted DNS record is used to disguise the listener as “local”.

4. Attack Prerequisites:

• Valid credentials (domain user)
• SMB signing not enforced on the target machine.

5. Impact:

• SYSTEM-level remote command execution via SMB
• Local SAM database dumping using tools like ntlmrelayx.py

6. Root Cause:

• The flaw stems from how NTLM local authentication is negotiated and how DNS hostnames are interpreted.

Exploitation Flow

The exploitation uses a combination of DNS trickery and forced authentication:

NTLM Exploitation:

• Setup: Attacker registers a DNS record srv11UWhRCAAAA… pointing to their controlled IP.
• Coercion: Uses PetitPotam to coerce lsass.exe to authenticate to this DNS.
• Relay: Runs ntlmrelayx.py targeting the same machine.
• Success: Local NTLM mode is triggered, SYSTEM token is reused, and remote commands are executed via SMB as SYSTEM.

Kerberos Variant:

• Same DNS manipulation used.
• Uses krbrelayx.py with NTLM mechType stripped.
• Kerberos authentication is negotiated.
• If SYSTEM account is used, Kerberos issues a token based on a subkey lookup—this subkey references SYSTEM’s privileges.
• Result: SYSTEM-level token is created and reused by attacker.

Recommendations

1. Immediately apply Microsoft’s patch for CVE-2025-33073.

2. SMB Signing:

• Enforce SMB signing across all Windows servers to prevent relay attacks.
• Group Policy: Network security: LAN Manager authentication level set to enforce signing.

3. Monitor and restrict DNS records resembling local identifiers (e.g., localhost-like names).

4. Monitoring & Detection:

• Audit SMB and RPC traffic for suspicious hostnames and unverified relays.
• Enable advanced logging: Windows Event IDs (e.g., 4624, 4672, 4688) to trace token use and service impersonation.

5. User & Service Hardening:

• Limit privileges of service accounts.
• Avoid running critical services under high-privilege (SYSTEM) where not needed.

6. Defense-in-Depth:

• Implement network segmentation and firewall rules to limit internal SMB/RPC access.
• Use endpoint protection to detect known tools (e.g., PetitPotam) and behavior anomalies.

Source:

• https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.