Windows SMB Client Zero-Day Vulnerability Exploited via Reflective Kerberos Relay Attack

A newly disclosed vulnerability, CVE-2025-33073, dubbed the “Reflective Kerberos Relay Attack,” has shaken the Windows security landscape.

Discovered by RedTeam Pentesting and patched by Microsoft on June 10, 2025, this flaw allows low-privileged Active Directory users to escalate privileges to NT AUTHORITYSYSTEM on domain-joined Windows systems that do not enforce SMB signing.

The attack leverages several advanced techniques:

• Authentication Coercion: The attacker, using tools like wspcoerce or NetExec, coerces a Windows host (e.g., client1) to authenticate to a malicious SMB server controlled by the attacker. This is achieved via Remote Procedure Call (RPC) APIs that force the target to initiate an outbound SMB connection.
• Service Principal Name (SPN) Confusion: By registering a specially crafted hostname (e.g., client11UWhRCA...YBAAAA) in Active Directory DNS or spoofing local name resolution with tools like pretender, the attacker ensures that the Kerberos ticket issued is for the victim host itself, not the attacker’s system.
• Kerberos Ticket Relay: The attacker captures the Kerberos service ticket and relays it back to the original host using a patched version of krbrelayx.py, authenticating as the computer account (e.g., client1$) for the SPN cifs/client1.
• Privilege Escalation: Surprisingly, instead of a low-privileged session, the relayed authentication grants SYSTEM-level access, allowing the attacker to execute arbitrary commands such as whoami and receive nt authoritysystem in response.

Example Attack Commands:

bash# Coerce authentication
$ wspcoerce 'lab.redteam/user1:[email protected]' 
    file:////client11UWhRCAAAA...YBAAAA/path

# Spoof DNS to redirect authentication
$ sudo pretender -i eth1 --no-dhcp-dns --no-timestamps 
    --spoof '*1UWhRCAAAA...YBAAAA*'

# Relay Kerberos ticket and execute command
$ krbrelayx.py --target smb://client1.lab.redteam -c whoami

The result: SYSTEM privileges on the target machine.

Technical Analysis and Exploitation Details

The vulnerability exploits a gap in Kerberos protections.

While NTLM relay attacks were mitigated by MS08-068 in 2008, similar safeguards were not implemented for Kerberos.

The attack abuses Windows’ handling of loopback authentication and SPN resolution, confusing the system into granting elevated privileges when it should not.

Key technical components include:

• CredUnmarshalTargetInfo/CREDENTIAL_TARGET_INFORMATIONW Trick: This technique, pioneered by James Forshaw, allows attackers to decouple the coercion target from the SPN, causing Kerberos tickets to be issued for the victim even when connecting to an attacker’s host.
• Bypassing NTLM Prioritization: Attackers modify krbrelayx to disable NTLM, forcing Kerberos authentication.
• Token Reuse Flaw: Windows mistakenly reuses the SYSTEM token when authenticating with the computer account, resulting in privilege escalation.

Risk Assessment and Mitigation

The risk is significant: any domain user can potentially gain SYSTEM privileges on unpatched, domain-joined Windows hosts where SMB signing is not enforced.

The attack affects all supported Windows 10, 11, and Server versions up to 2025 24H2, except domain controllers (where SMB signing is enforced by default).

Risk Factor Table

Mitigation Steps:

• Apply Microsoft’s June 2025 security updates immediately.
• Enforce SMB signing on all Windows hosts, not just domain controllers.
• Monitor for unusual SMB connections and coercion attempts.
• Review Active Directory DNS for suspicious hostnames.

The Reflective Kerberos Relay Attack highlights the ongoing need for layered security and vigilance, even as legacy protocols are phased out.

Organizations should act swiftly to patch and harden their environments against this critical threat.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates