Windows SMB Client Zero-Day Vulnerability Exploited via Reflective Kerberos Relay Attack

A newly disclosed vulnerability, CVE-2025-33073, dubbed the “Reflective Kerberos Relay Attack,” has shaken the Windows security landscape.

Discovered by RedTeam Pentesting and patched by Microsoft on June 10, 2025, this flaw allows low-privileged Active Directory users to escalate privileges to NT AUTHORITY\SYSTEM on domain-joined Windows systems that do not enforce SMB signing.

The attack leverages several advanced techniques:

- Advertisement -

• Authentication Coercion: The attacker, using tools like wspcoerce or NetExec, coerces a Windows host (e.g., client1) to authenticate to a malicious SMB server controlled by the attacker. This is achieved via Remote Procedure Call (RPC) APIs that force the target to initiate an outbound SMB connection.
• Service Principal Name (SPN) Confusion: By registering a specially crafted hostname (e.g., client11UWhRCA...YBAAAA) in Active Directory DNS or spoofing local name resolution with tools like pretender, the attacker ensures that the Kerberos ticket issued is for ...