Advisory: Reflective Kerberos Relay Attack Against Domain-Joined Windows Clients and Servers RedTeam Pentesting has developed the Reflective Kerberos Relay Attack which remotely allows low-privileged Active Directory domain users to obtain `NT AUTHORITY\SYSTEM` privileges on domain-joined Windows computers. This vulnerability affects all domain-joined Windows hosts that do not require SMB signing of incoming connections. In their default configurations, this includes all Windows 10 and 11 versions up to 23H2 and all Windows Server versions including 2025 24H2 and excluding domain controllers. ### Details - Product: Microsoft Windows - Affected Versions: Clients and servers that do not require server-side SMB signing - Fixed Versions: See https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073 - Vulnerability Type: Privilege Escalation - Security Risk: high - Vendor URL: https://www.microsoft.com/windows - Vendor Status: patch available - Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2025-002 - Advisory Status: public - CVE: CVE-2025-33073 - CVE URL: https://www.cve.org/CVERecord?id=CVE-2025-33073 In a reflective relay attack or loopback relay attack, authentication messages are relayed back to the same host they originated from. While protections against these attacks were implemented for the now deprecated NTLM protocol in 2008 with MS08-068, the Kerberos authentication protocol seems to lack these protections. Additionally, the Reflective Kerberos Relay Attack exploits a privilege escalation vulnerability that allows attackers to execute commands with the privileges of the `NT AUTHORITY\SYSTEM` user. Due to the complexity of this vulnerability, a detailed write-up is provided in form of a [whitepaper which is available here](/publications/2025-06-11-Reflective-Kerberos-Relay-Attack_RedTeam-Pentesting.pdf). The attack is also explained in [our blog post](https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/). ### Workaround Since this vulnerability is exploited in a relay attack, it can be mitigated by enforcing server-side SMB signing for Windows clients and servers. ### Fix Microsoft provides updates for most Windows Versions as part of Patch Tuesday on 10 June 2025, see . ### Security Risk Attackers with an arbitrary account in the Windows domain can execute code with `NT AUTHORITY\SYSTEM` on systems that do not require SMB signing for incoming connections, thereby completely compromising the affected systems. This poses a high risk to many organisations. ### Timeline - 2025-01-30 Vulnerability identified - 2025-03-07 Reported to Microsoft via MSRC - 2025-03-21 Vulnerability confirmed by Microsoft - 2025-05-02 Vulnerability classified as "Important" by Microsoft - 2025-05-30 CVE ID and patch release date declared by Microsoft - 2025-06-03 Microsoft agrees on publication of details after patch day on 10 June - 2025-06-04 Bug bounty of $5000 announced - 2025-06-05 Microsoft asked to delay publication for a few days in order to deliver fixed version information - 2025-06-10 Patch released by Microsoft - 2025-06-11 Advisory released ### RedTeam Pentesting GmbH RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: ### Working at RedTeam Pentesting RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: