A major zero-day vulnerability impacting Windows systems has come to light, allowing malicious actors to gain extensive system privileges through a novel Kerberos attack method. Identified as CVE-2025-33073, this security flaw was patched by Microsoft on June 10, 2025, during their routine Patch Tuesday security updates.
The Reflective Kerberos Relay Attack, uncovered by RedTeam Pentesting in January 2025, takes advantage of a critical weakness in the handling of Kerberos authentication by Windows. This vulnerability marks a notable advancement in relay attacks that have long troubled Active Directory environments.
"While Microsoft bolstered protections against NTLM reflection attacks back in 2008 with MS08-068, this new technique cleverly bypasses those safeguards by utilizing Kerberos instead of NTLM protocols," explained a cybersecurity analyst.
"While Microsoft bolstered protections against NTLM reflection attacks back in 2008 with MS08-068, this new technique cleverly bypasses those safeguards by utilizing Kerberos instead of NTLM protocols,"
Race Results
Race Results
Race Results
Once exploited, this vulnerability allows attackers to manipulate any Windows host into authenticating back to a system under their control via the Server Message Block (SMB) protocol. Subsequently, they can relay the computer account's Kerberos ticket back to the original host. As a result, the attacker can obtain NT AUTHORITY\SYSTEM privileges, which represent the highest level of access on Windows machines, effectively granting them complete dominance over the compromised system.
The Reflective Kerberos Relay Attack involves several complex technical elements that elevate its danger. Initially, attackers employ authentication coercion, a well-established strategy that enables accounts with limited privileges to compel Windows hosts to connect and authenticate to systems that the attackers control.
Furthermore, the attack leverages the CredUnmarshalTargetInfo/CREDENTIAL_TARGET_INFORMATION technique, innovatively introduced by James Forshaw of Google Project Zero. This technique allows attackers to register hostnames that lead to the issuance of Kerberos tickets for unintended hosts. "This creates a misleading scenario where Windows systems become confused about their intended authentication target," said Forshaw, highlighting how systems mistakenly believe they are engaging in local loopback authentication when, in fact, they are in contact with external threats.
"This creates a misleading scenario where Windows systems become confused about their intended authentication target,"
To exploit this vulnerability effectively, researchers had to address Windows' habitual inclination for NTLM over Kerberos in specific situations. They accomplished this by modifying existing tools to ensure that Kerberos authentication is forced. Notably, the vulnerability seems to target and exploit Windows' privilege escalation mitigation mechanisms, compelling the system to reuse high-privileged process tokens instead of generating new ones intended for the attack context.
As businesses and organizations rely increasingly on Windows for their operational needs, the risks associated with vulnerabilities like CVE-2025-33073 can have severe repercussions. Immediate patching measures and increased awareness among users are vital to mitigate potential damage from these types of attacks.
Microsoft's response to this vulnerability reflects their increased vigilance regarding security threats. "We're continuously monitoring our systems for vulnerabilities and rapidly addressing them to protect our users," said a Microsoft spokesperson. They emphasize the importance of collecting user feedback to enhance their security capabilities moving forward.
"We're continuously monitoring our systems for vulnerabilities and rapidly addressing them to protect our users,"
In summary, the discovery of the Reflective Kerberos Relay Attack signifies a critical point in the ongoing battle against cyber vulnerabilities, posing substantial risks to organizations using Windows systems. Experts advocate for stringent security practices and prompt updates to safeguard against such pervasive threats in the dynamic landscape of cybersecurity.