Feds Flag Active Exploitation Of Patched Windows Smb Vuln
Uncle Sam’s cyber wardens have warned that a high-severity flaw in Microsoft’s Windows SMB client is now being actively exploited – months after it was patched.
The bug, tracked as CVE-2025-33073, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue on October 20, confirming that real-world attackers are using the vulnerability in ongoing campaigns. The flaw, rated 8.8 on the CVSS scale, affects Windows 10, Windows 11 (up to version 24H2), and all supported versions of Windows Server.
Microsoft initially fixed the bug during its June 2025 Patch Tuesday rollout, warning that an attacker could exploit it by convincing a victim machine to connect to a malicious SMB server, potentially allowing privilege escalation or lateral movement inside a network.
“The attacker could convince a victim to connect to an attacker-controlled malicious application (for example, SMB) server. Upon connecting, the malicious server could compromise the protocol,” Redmond explained at the time.
“To exploit this vulnerability, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate. This could result in elevation of privilege.”
CISA has ordered federal civilian agencies to apply the relevant patches or remove affected systems from operation by November 10 under Binding Operational Directive 22-01, which mandates timely remediation of known exploited bugs. While the directive applies only to US government entities, the agency urged all organizations to patch immediately, citing evidence of active exploitation.
Microsoft has not yet commented publicly on the nature or scope of the attacks, but CISA’s inclusion of the flaw in its catalog suggests it has seen credible indicators of compromise. The exploit’s combination of network accessibility and privilege escalation makes it especially useful for threat actors looking to deepen access once they’re inside a target environment.
Given SMB’s near-ubiquitous role in enterprise file sharing and communications, security teams should check that June’s update has been applied across all endpoints and servers, monitor for unusual outbound SMB traffic, and restrict unnecessary exposure of the protocol to untrusted networks.
The warning comes as CISA adds four more vulnerabilities to its KEV list, including yet another flaw affecting Oracle’s E-Business Suite. The flaw, tracked as CVE-2025-61884, was patched by Oracle earlier this month, but the company didn’t say whether it has been exploited in the wild.
CISA’s alert suggests it has, though whether it’s part of the broader Clop campaign tunneling through EBS is anyone’s guess. ®
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.