Week 43 – Old Trick, New Target: NTLM Reflection Returns via SMB
20 – 26 Oct 2025
The next star of our #CVE of the Week series is CVE-2025-33073, an improper authorization flaw in Microsoft’s SMB implementation.
As you might have noticed from its ID number, this is not a freshly discovered one, but it still deserves attention as CISA has just added it to the Known Exploited Vulnerabilities database (KEV).
To put this issue in context, we have to go back in time and understand an old trick used by attackers, NTLM reflection. In a simplified form, it basically means relaying the NTLM authentication request back to the machine from whence it originated. When abused, this technique allows for privilege escalation and remote code execution. The original vulnerability was patched back in 2008 and was even released for Windows XP, but researchers continue to find ways to circumvent the added controls.
The latest iteration of this attack was discovered in June 2025 by Synacktiv’s pentest team, affecting the SMB system on all current versions of Windows, from servers to desktops. Microsoft has since released patches for mitigation, but the fact that four months later it made its way into the KEV indicates that many organizations have failed to apply the updates, leaving them exposed to the threat.
Although this specific exploit is rendered useless by keeping your Windows systems updated, research suggests that there might be other ways to execute the attack despite the countermeasures. To fix this and future attack vectors related to NTLM reflection against SMB, it is advisable to enforce SMB signing wherever possible, and as always, apply security patches immediately.
Original blogpost by Synacktiv: https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
CISA KEV entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-33073
Microsoft advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073
White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.
With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.
They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.