RedTeam Pentesting - Reflective Kerberos Relay Attack Against Domain-Joined Windows Clients and Servers

back to overview

older

Text Version

Reflective Kerberos Relay Attack Against Domain-Joined Windows Clients and Servers

RedTeam Pentesting has developed the Reflective Kerberos Relay Attack which remotely allows low-privileged Active Directory domain users to obtain NT AUTHORITY\SYSTEM privileges on domain-joined Windows computers. This vulnerability affects all domain-joined Windows hosts that do not require SMB signing of incoming connections. In their default configurations, this includes all Windows 10 and 11 versions up to 23H2 and all Windows Server versions including 2025 24H2 and excluding domain controllers.

Details

Product: Microsoft Windows
Affected Versions: Clients and servers that do not require server-side SMB signing
Fixed Versions: See https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073
Vulnerability Type: Privilege Escalation
Security Risk: high
Vendor URL: https://www.microsoft.com/windows
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2025-002
Advisory Status: public
CVE: CVE-2025-33073
CVE URL: https://www.cve.org/CVERecord?id=CVE-2025-33073

In a reflective relay attack or loopback relay attack, authentication messages are relayed back to the same host they originated from. While protections against these attacks were implemented for the now deprecated NTLM protocol in 2008 with MS08-068, the Kerberos authentication protocol seems to lack these protections. Additionally, the Reflective Kerberos Relay Attack exploits a privilege escalation vulnerability that allows attackers to execute commands with the privileges of the NT AUTHORITY\SYSTEM user.

Due to the complexity of this vulnerability, a detailed write-up is provided in form of a whitepaper which is available here. The attack is also explained in our blog post.

Workaround

Since this vulnerability is exploited in a relay attack, it can be mitigated by enforcing server-side SMB signing for Windows clients and servers.

Fix

Microsoft provides updates for most Windows Versions as part of Patch Tuesday on 10 June 2025, see https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073.

Security Risk

Attackers with an arbitrary account in the Windows domain can execute code with NT AUTHORITY\SYSTEM on systems that do not require SMB signing for incoming connections, thereby completely compromising the affected systems. This poses a high risk to many organisations.

Timeline

2025-01-30 Vulnerability identified
2025-03-07 Reported to Microsoft via MSRC
2025-03-21 Vulnerability confirmed by Microsoft
2025-05-02 Vulnerability classified as “Important” by Microsoft
2025-05-30 CVE ID and patch release date declared by Microsoft
2025-06-03 Microsoft agrees on publication of details after patch day on 10 June
2025-06-04 Bug bounty of $5000 announced
2025-06-05 Microsoft asked to delay publication for a few days in order to deliver fixed version information
2025-06-10 Patch released by Microsoft
2025-06-11 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/