Feds flag active exploitation of patched Windows SMB vuln
(2025/10/21)
- Reference: 1761042430
- News link: https://www.theregister.co.uk/2025/10/21/cisa_windows_smb_bug/
- Source link:
Uncle Sam's cyber wardens have warned that a high-severity flaw in Microsoft's Windows SMB client is now being actively exploited – months after it was patched.
The bug, tracked as [1]CVE-2025-33073 , was added to [2]CISA's Known Exploited Vulnerabilities (KEV) catalogue on October 20, confirming that real-world attackers are using the vulnerability in ongoing campaigns. The flaw, rated 8.8 on the CVSS scale, affects Windows 10, Windows 11 (up to version 24H2), and all supported versions of Windows Server.
Microsoft initially fixed the bug during its June 2025 Patch Tuesday rollout, warning that an attacker could exploit it by convincing a victim machine to connect to a malicious SMB server, potentially allowing privilege escalation or lateral movement inside a network.
[3]
"The attacker could convince a victim to connect to an attacker-controlled malicious application (for example, SMB) server. Upon connecting, the malicious server could compromise the protocol," Redmond explained at the time.
[4]
[5]
"To exploit this vulnerability, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate. This could result in elevation of privilege."
CISA has ordered federal civilian agencies to apply the relevant patches or remove affected systems from operation by November 10 under Binding Operational Directive 22-01, which mandates timely remediation of known exploited bugs. While the directive applies only to US government entities, the agency urged all organizations to patch immediately, citing evidence of active exploitation.
[6]Suspected Salt Typhoon snoops lurking in European telco's network
[7]Senator presses Cisco over firewall flaws that burned US agency
[8]CISA exec blames nation-state hackers and Democrats for putting America's critical systems at risk
[9]CISA cuts more staff and reassigns others as government stays shut down
Microsoft has not yet commented publicly on the nature or scope of the attacks, but CISA's inclusion of the flaw in its catalog suggests it has seen credible indicators of compromise. The exploit's combination of network accessibility and privilege escalation makes it especially useful for threat actors looking to deepen access once they're inside a target environment.
Given SMB's near-ubiquitous role in enterprise file sharing and communications, security teams should check that June's update has been applied across all endpoints and servers, monitor for unusual outbound SMB traffic, and restrict unnecessary exposure of the protocol to untrusted networks.
[10]
The warning comes as CISA adds four more vulnerabilities to its KEV list, including yet another flaw affecting Oracle's E-Business Suite. The flaw, tracked as CVE-2025-61884, [11]was patched by Oracle earlier this month , but the company didn't say whether it has been exploited in the wild.
CISA's alert suggests it has, though whether it's part of [12]the broader Clop campaign tunneling through EBS is anyone's guess. ®
Get our [13]Tech Resources
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-33073
[2] https://www.cisa.gov/news-events/alerts/2025/10/20/cisa-adds-five-known-exploited-vulnerabilities-catalog
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aPeuF9mh3oxQnrjIm2jRzQAAAgU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPeuF9mh3oxQnrjIm2jRzQAAAgU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aPeuF9mh3oxQnrjIm2jRzQAAAgU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/10/20/salt_typhoon_european_telco/
[7] https://www.theregister.com/2025/10/16/cisco_senate_scrutiny/
[8] https://www.theregister.com/2025/10/15/cisa_blames_nationstate_hackers_democrats/
[9] https://www.theregister.com/2025/10/14/cisa_jettisoning_more_staff_reassigning/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPeuF9mh3oxQnrjIm2jRzQAAAgU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/10/14/oracle_rushes_out_another_emergency/
[12] https://www.theregister.com/2025/10/07/clop_oracle_ebs/
[13] https://whitepapers.theregister.com/
The bug, tracked as [1]CVE-2025-33073 , was added to [2]CISA's Known Exploited Vulnerabilities (KEV) catalogue on October 20, confirming that real-world attackers are using the vulnerability in ongoing campaigns. The flaw, rated 8.8 on the CVSS scale, affects Windows 10, Windows 11 (up to version 24H2), and all supported versions of Windows Server.
Microsoft initially fixed the bug during its June 2025 Patch Tuesday rollout, warning that an attacker could exploit it by convincing a victim machine to connect to a malicious SMB server, potentially allowing privilege escalation or lateral movement inside a network.
[3]
"The attacker could convince a victim to connect to an attacker-controlled malicious application (for example, SMB) server. Upon connecting, the malicious server could compromise the protocol," Redmond explained at the time.
[4]
[5]
"To exploit this vulnerability, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate. This could result in elevation of privilege."
CISA has ordered federal civilian agencies to apply the relevant patches or remove affected systems from operation by November 10 under Binding Operational Directive 22-01, which mandates timely remediation of known exploited bugs. While the directive applies only to US government entities, the agency urged all organizations to patch immediately, citing evidence of active exploitation.
[6]Suspected Salt Typhoon snoops lurking in European telco's network
[7]Senator presses Cisco over firewall flaws that burned US agency
[8]CISA exec blames nation-state hackers and Democrats for putting America's critical systems at risk
[9]CISA cuts more staff and reassigns others as government stays shut down
Microsoft has not yet commented publicly on the nature or scope of the attacks, but CISA's inclusion of the flaw in its catalog suggests it has seen credible indicators of compromise. The exploit's combination of network accessibility and privilege escalation makes it especially useful for threat actors looking to deepen access once they're inside a target environment.
Given SMB's near-ubiquitous role in enterprise file sharing and communications, security teams should check that June's update has been applied across all endpoints and servers, monitor for unusual outbound SMB traffic, and restrict unnecessary exposure of the protocol to untrusted networks.
[10]
The warning comes as CISA adds four more vulnerabilities to its KEV list, including yet another flaw affecting Oracle's E-Business Suite. The flaw, tracked as CVE-2025-61884, [11]was patched by Oracle earlier this month , but the company didn't say whether it has been exploited in the wild.
CISA's alert suggests it has, though whether it's part of [12]the broader Clop campaign tunneling through EBS is anyone's guess. ®
Get our [13]Tech Resources
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-33073
[2] https://www.cisa.gov/news-events/alerts/2025/10/20/cisa-adds-five-known-exploited-vulnerabilities-catalog
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aPeuF9mh3oxQnrjIm2jRzQAAAgU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPeuF9mh3oxQnrjIm2jRzQAAAgU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aPeuF9mh3oxQnrjIm2jRzQAAAgU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/10/20/salt_typhoon_european_telco/
[7] https://www.theregister.com/2025/10/16/cisco_senate_scrutiny/
[8] https://www.theregister.com/2025/10/15/cisa_blames_nationstate_hackers_democrats/
[9] https://www.theregister.com/2025/10/14/cisa_jettisoning_more_staff_reassigning/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPeuF9mh3oxQnrjIm2jRzQAAAgU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/10/14/oracle_rushes_out_another_emergency/
[12] https://www.theregister.com/2025/10/07/clop_oracle_ebs/
[13] https://whitepapers.theregister.com/
JohnSheeran
Weird. I thought DOGE got rid of CISA effectively.
SMB
DarkwavePunk
I'd actually forgotten that it existed. Probably not the same beast I remember from the stone age, but obviously just as "fun".
To preempt anyone thinking of posting something about port blocking... Modern SMB uses QUIC on UDP/443 (the same as HTTP/3, so not something a properly configured network should be blocking).
I assume a vulnerability at the SMB layer should be just as exploitable using that transport as any other. (However I believe QUIC support is only enabled by default in windows 11?)