A critical zero-day vulnerability in Windows systems has been identified, allowing attackers to escalate privileges through a new Reflective Kerberos Relay Attack. This vulnerability, labeled CVE-2025-33073, was addressed by Microsoft with a patch on June 10, 2025, as part of their regular security updates. With a CVSS score of 9.8, the flaw is deemed critical due to its low complexity and significant impact on system security.
The Reflective Kerberos Relay Attack marks a significant advancement in authentication relay techniques, circumventing NTLM reflection restrictions in place since 2008. The attack involves coercing a Windows host to authenticate back to an attacker’s system using the computer account’s credentials. A key technical aspect is the separation of the coercion target and Service Principal Name using a specific trick, allowing attackers to manipulate Kerberos ticket issuance.
The attack requires bypassing NTLM prioritization, as Windows defaults to NTLM for self-connections. Attackers modify tools to disable NTLM, forcing Kerberos authentication instead. The most alarming aspect is the unexpected privilege escalation, where attackers gain NT AUTHORITY\SYSTEM privileges, enabling remote code execution. This occurs due to Windows’ local loopback authentication safeguards, which inadvertently grant high privileges.
The vulnerability affects all versions of Windows 10, 11, and Windows Server from 2019 to 2025. Exploitation requires both authentication coercion and SMB relaying. While SMB signing can prevent relaying, it is not universally enforced. Organizations are advised to enable server-side SMB signing and other security measures to protect against such attacks, highlighting the ongoing evolution of threats in Kerberos-based systems.
