A critical vulnerability known as the “Reflective Kerberos Relay Attack” has emerged, creating significant concern in the Windows security environment. Identified as CVE-2025-33073, this flaw was discovered by RedTeam Pentesting and addressed by Microsoft with a patch on June 10, 2025. This vulnerability enables users with low privileges in Active Directory to escalate their access to NT AUTHORITY\SYSTEM on domain-joined Windows machines that do not enforce SMB signing.
The attack employs advanced methods, beginning with authentication coercion. Attackers use tools like wspcoerce or NetExec to compel a Windows host to connect to a malicious SMB server they control, utilizing RPC APIs to trigger an outbound SMB connection. By manipulating Service Principal Name (SPN) resolution, attackers can ensure Kerberos tickets are issued for the victim’s host rather than their own.
The Kerberos service ticket is then captured and relayed back to the original host, allowing the attacker to authenticate as the computer account and gain SYSTEM-level access. This unauthorized access permits the execution of arbitrary commands.
The vulnerability exploits a gap in Kerberos protections, specifically targeting Windows’ handling of loopback authentication and SPN resolution. It bypasses traditional NTLM relay attack mitigations and leverages a token reuse flaw to achieve privilege escalation.
The risk is substantial, with any domain user capable of gaining SYSTEM privileges on unpatched Windows hosts. This vulnerability affects all supported Windows 10, 11, and Server versions up to 2025 24H2, excluding domain controllers where SMB signing is enforced by default.
To mitigate this threat, organizations should immediately apply Microsoft’s June 2025 security updates, enforce SMB signing across all Windows hosts, monitor for unusual SMB activity, and review Active Directory DNS for suspicious entries. The Reflective Kerberos Relay Attack underscores the necessity for robust security measures and prompt action to protect against evolving threats.
