CISA said on Monday that threat actors are actively exploiting a high-severity Windows Server Message Block (SMB) privilege-escalation vulnerability tracked as CVE-2025-33073, affecting all Windows Server and Windows 10 versions and Windows 11 up to 24H2. Microsoft patched the flaw during the June 2025 Patch Tuesday release.
Microsoft has described the bug as stemming from an improper access control weakness that can allow an authorized attacker to elevate privileges over a network. In a security advisory, the company said: “The attacker could convince a victim to connect to an attacker controlled malicious application (for example, SMB) server. Upon connecting, the malicious server could compromise the protocol.”
Microsoft said exploitation could involve a specially crafted script that coerces a victim machine to connect back to an attacker system using SMB and authenticate, potentially resulting in SYSTEM privilege escalation. The company also noted that information about the bug was publicly accessible before updates were released. Microsoft has not publicly acknowledged CISA’s statement that the flaw is under active exploitation, the agency said.
CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog and said Federal Civilian Executive Branch agencies have three weeks to secure affected systems by Nov. 10 under Binding Operational Directive 22-01. The agency linked its notice at added the flaw and the catalog entry at Known Exploited Vulnerabilities Catalog, and urged all organisations to apply patches promptly.
Microsoft credited discovery of the issue to multiple security researchers, including CrowdStrike’s Keisuke Hirata, Synacktiv’s Wilfried Bécard, SySS GmbH’s Stefan Walter, Google Project Zero’s James Forshaw, and RedTeam Pentesting GmbH. CISA said it had not provided further technical details about ongoing attacks and cautioned that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”