CVE Alert: CVE-2025-33073 - Microsoft - Windows 10 Version 1809

CVE-2025-33073

HIGHCISA KEVExploitation active

Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.

CVSS v3.1 (8.8)

Vendor

Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft

Product

Windows 10 Version 1809, Windows Server 2019, Windows Server 2019 (Server Core installation), Windows Server 2022, Windows 10 Version 21H2, Windows 11 version 22H2, Windows 10 Version 22H2, Windows Server 2025 (Server Core installation), Windows 11 version 22H3, Windows 11 Version 23H2, Windows Server 2022, 23H2 Edition (Server Core installation), Windows 11 Version 24H2, Windows Server 2025, Windows 10 Version 1507, Windows 10 Version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation), Windows Server 2008 Service Pack 2, Windows Server 2008 Service Pack 2 (Server Core installation), Windows Server 2008 Service Pack 2, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Server Core installation), Windows Server 2012, Windows Server 2012 (Server Core installation), Windows Server 2012 R2, Windows Server 2012 R2 (Server Core installation)

Versions

10.0.17763.0 lt 10.0.17763.7434 | 10.0.17763.0 lt 10.0.17763.7434 | 10.0.17763.0 lt 10.0.17763.7434 | 10.0.20348.0 lt 10.0.20348.3807 | 10.0.19044.0 lt 10.0.19044.5965 | 10.0.22621.0 lt 10.0.22621.5472 | 10.0.19045.0 lt 10.0.19045.5965 | 10.0.26100.0 lt 10.0.26100.4349 | 10.0.22631.0 lt 10.0.22631.5472 | 10.0.22631.0 lt 10.0.22631.5472 | 10.0.25398.0 lt 10.0.25398.1665 | 10.0.26100.0 lt 10.0.26100.4349 | 10.0.26100.0 lt 10.0.26100.4349 | 10.0.10240.0 lt 10.0.10240.21034 | 10.0.14393.0 lt 10.0.14393.8148 | 10.0.14393.0 lt 10.0.14393.8148 | 10.0.14393.0 lt 10.0.14393.8148 | 6.0.6003.0 lt 6.0.6003.23351 | 6.0.6003.0 lt 6.0.6003.23351 | 6.0.6003.0 lt 6.0.6003.23351 | 6.1.7601.0 lt 6.1.7601.27769 | 6.1.7601.0 lt 6.1.7601.27769 | 6.2.9200.0 lt 6.2.9200.25522 | 6.2.9200.0 lt 6.2.9200.25522 | 6.3.9600.0 lt 6.3.9600.22620 | 6.3.9600.0 lt 6.3.9600.22620

CWE

CWE-284, CWE-284: Improper Access Control

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Published

2025-06-10T17:02:35.874Z

Updated

2025-10-20T16:20:24.373Z

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073

CISA KEV reference

AI Summary Analysis

Risk verdict

Critical: actively exploited via a network-based Windows SMB client elevation-of-privilege flaw; treat as priority 1 due to KEV and active exploitation.

Why this matters

Attackers can compromise a host with minimal user interaction and escalate to high privileges, enabling full control of the affected system. The exposure across many Windows editions means broad business impact, including lateral movement to adjacent resources and potential service disruption.

Most likely attack path

Exploitation requires network access to an SMB client, no user interaction, and low privileged credentials to trigger a total compromise. Given Scope is unchanged, the attacker gains control within the targeted host rather than broader cross-system effects without additional privileges. Lateral movement hinges on post-exploit access to adjacent systems or sensitive shares.

Who is most exposed

Enterprises with common Windows endpoint/server deployments and enabled SMB clients are at highest risk; environments with flat or poorly segmented networks, and those with extensive internet-facing SMB exposure, are particularly vulnerable.

Detection ideas

Monitor for unusual SMB negotiation attempts or bursts from hosts to peers.
Look for unexpected privilege-escalation process trees or newly created administrative tokens.
Detect anomalous logons or lateral movement patterns following SMB activity.
Correlate with known exploitation indicators or post-exploit toolchains.
Alert on outbound reachability anomalies to internal SMB shares.

Mitigation and prioritisation

Apply the latest patches immediately; treat as priority 1 due to KEV/exploitation state.
Enforce network segmentation and restrict SMB exposure (firewall rules, disable unneeded shares).
Validate and harden SMB configuration; disable legacy protocols where feasible.
Update EDR/IDS rules to flag SMB-based privilege-escalation attempts.
Schedule patches via change-control and test in a staging environment before broader rollout.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon