Windows SMB Flaw (CVE-2025-33073): SYSTEM Privilege Escalation via Kerberos, PoC Available

A newly disclosed security vulnerability in the Windows SMB client, tracked as CVE-2025-33073, has raised significant concerns due to its potential to allow elevation of privilege to SYSTEM level. With a CVSS score of 8.8, this flaw stems from improper access control in the SMB protocol stack, particularly in how Kerberos authentication subkeys are managed.

According to the security advisory, “an attacker who successfully exploited this vulnerability could gain SYSTEM privileges”, the highest level of access in Windows environments.

To exploit the vulnerability, an attacker must coerce a victim into connecting to a malicious SMB server. This can be achieved using techniques like phishing, drive-by downloads, or watering hole attacks. Upon successful connection, the malicious server abuses the Kerberos authentication process to forge a privileged token, ultimately granting elevated local access.

The vulnerability is rooted in how the SMB client negotiates Kerberos authentication:

“When the SMB client has negotiated Kerberos instead of NTLM, the SpInitLsaModeContext function is called… and eventually inserts a session key into the global list KerbSKeyList,” the researchers explains.

Key technical components of the vulnerability include:

• Use of KerbCreateSKeyEntry, which stores a subkey and token associated with a privileged logon ID (SYSTEM or NETWORK SERVICE).
• Improper checks in the KerbDoesSKeyExist function that allow an attacker to reuse this subkey under specific conditions.
• If the client name matches the machine name, and the subkey exists in the KerbSKeyList, the resulting token will be elevated to SYSTEM.

“If IsSystem is true, then the User field of the token information is set to SYSTEM, and the local admin SID is added to the groups field,” the researchers noted.

The attack chain overview

1. Attacker sets up a malicious SMB server with carefully crafted responses.
2. Victim machine is tricked into initiating an SMB connection to the malicious server.
3. The server responds in a way that forces the client into Kerberos authentication.
4. A subkey is generated and logged into KerbSKeyList with privileged token data.
5. The server then forges a valid AP-REQ ticket using the subkey.
6. The SMB client accepts and validates the forged ticket.
7. SYSTEM token is generated via KerbMakeTokenInformationV3, granting administrative privileges.

A proof-of-concept (PoC) exploit demonstrating this vulnerability is publicly available on GitHub, making the issue more urgent for system administrators and security teams.

Related Posts:

• Phasing Out NTLM: Windows 11’s Commitment to Kerberos
• From Espionage to Theft: The Multi-Faceted APT Attacks on SMBs
• Cyberattack Surge: SMBs Grapple with 8% Rise in Malware