Attack Surface Management,
Security Operations
Administering Response to NTLM Vulnerability Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding an actively exploited vulnerability in the Server Message Block (SMB) protocol. This flaw, identified as CVE-2025-33073, has been present for three months and poses significant risks to federal agencies and beyond.
On October 20, 2025, CISA mandated federal entities to implement patches within a 21-day timeframe. This vulnerability involves improper access control on the client side of SMB messages, with the potential for attackers to escalate privileges on affected systems. According to a prior advisory released by Microsoft, malicious actors can exploit this CVSS 8.8 vulnerability by executing a script that forces victims to connect to a malicious server, successfully bypassing previously established safeguards meant to protect against NTLM reflection attacks, particularly in environments that do not enforce SMB signing.
The story behind NTLM—a legacy authentication protocol from Microsoft, dating back to 1993—further complicates matters. Although Microsoft is deprecating NTLM in favor of Kerberos for better security, many systems still rely on NTLM due to hardcoded implementations or peer-to-peer workgroups. Recent analyses by researchers from Synacktiv indicate that despite the prevalence of Kerberos, the exploitation of CVE-2025-33073 is still possible, illustrating systemic vulnerabilities within NTLM architecture.
Attackers leverage this vulnerability by tricking victim machines into authenticating locally using a script that resolves a manipulated DNS record. This maneuver enables the NTLM protocol to treat the connection as local authentication, circumventing protections based on the machine’s hostname. Consequently, the Local Security Authority Subsystem Service can be manipulated to provide the local NTLM authentication token to an external server controlled by the attacker.
While the immediate CISA mandate applies primarily to U.S. federal agencies, CISA urges all entities to promptly address any vulnerabilities listed in its Known Exploited Vulnerabilities catalog. As such, business owners are advised to prioritize the implementation of updates and mitigation strategies to protect their networks from potential exploitations of CVE-2025-33073 and similar threats.
Utilizing the MITRE ATT&CK framework, relevant adversary tactics include initial access through exploitation of vulnerabilities, persistence via unauthorized tokens, and privilege escalation. These tactics highlight the multifaceted nature of cyber threats facing organizations today, emphasizing the importance of proactive security measures.
This ongoing situation underscores the critical need for vigilance in cybersecurity strategies, with organizations encouraged to adopt an informed and responsive approach to their network defenses.
Reported by David Perera from Information Security Media Group.
