{"id":9976,"date":"2026-01-19T10:03:41","date_gmt":"2026-01-19T10:03:41","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/19\/windows-smb-client-vulnerability-enables-attacker-to-own-active-directory\/"},"modified":"2026-01-19T10:03:41","modified_gmt":"2026-01-19T10:03:41","slug":"windows-smb-client-vulnerability-enables-attacker-to-own-active-directory","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/19\/windows-smb-client-vulnerability-enables-attacker-to-own-active-directory\/","title":{"rendered":"Windows SMB Client Vulnerability Enables Attacker to Own Active Directory"},"content":{"rendered":"

Windows SMB Client Vulnerability Enables Attacker to Own Active Directory
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical vulnerability in Windows SMB client authentication that enables attackers to compromise Active Directory<\/a> environments through NTLM reflection exploitation.<\/p>\n

Classified as an improper access control vulnerability, this vulnerability allows authorized attackers to escalate privileges via carefully orchestrated authentication relay attacks over network connections.<\/p>\n

Seven months after the June 2025 security patch release, research reveals widespread non-adoption across enterprise infrastructure.<\/p>\n

Vulnerable hosts are identified on nearly every penetration test engagement across domain controllers, tier-zero servers, and workstations. The vulnerability exploits a fundamental mechanism in Windows NTLM<\/a> local authentication.<\/p>\n

\"Successful
Successful SMB Relay With Flaw<\/figcaption><\/figure>\n

When a client receives an NTLM_CHALLENGE message marked for local authentication, the system creates a context object and inserts a context ID into the Reserved field.<\/p>\n

This mechanism, combined with coercion techniques such as PetitPotam, DFSCoerce, and Printerbug, forces lsass.exe (running as SYSTEM) to authenticate to attacker-controlled servers.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n
Aspect<\/strong><\/th>\nDetails<\/strong><\/th>\n<\/tr>\n<\/thead>\n
CVE Identifier<\/strong><\/td>\nCVE-2025-33073<\/td>\n<\/tr>\n
Vulnerability Type<\/strong><\/td>\nNTLM Reflection \/ Privilege Escalation<\/td>\n<\/tr>\n
Attack Vector<\/strong><\/td>\nNetwork (Coercion + Authentication Relay)<\/td>\n<\/tr>\n
Patch Release<\/strong><\/td>\nJune 2025 Windows Updates<\/td>\n<\/tr>\n
Primary Impact<\/strong><\/td>\nComplete Active Directory <\/a>Compromise<\/td>\n<\/tr>\n
Current Status<\/strong><\/td>\nWidely unpatched in enterprise environments<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

The server then impersonates the SYSTEM token for subsequent operations, effectively granting full system compromise.<\/p>\n

\nAttack Requirements<\/strong> and Exploitation Pathways<\/strong>
\n<\/h2>\n

Exploitation requires either registering a malicious DNS record in AD DNS (allowed for Authenticated Users by default) or performing DNS poisoning within the local network.<\/p>\n

\"
\u00a0Successful SMB LDAPS Reflection (Source: DepthSecurity)<\/figcaption><\/figure>\n

These low-privilege requirements fundamentally increase the attack surface, as most organizations have not restricted Authenticated Users from creating arbitrary DNS records in AD DNS zones.<\/p>\n

Traditional mitigations prove insufficient against advanced exploitation vectors.<\/p>\n

While SMB signing<\/a> typically prevents relay attacks, research demonstrates successful cross-protocol relays from SMB to LDAPS with signing and channel binding enforced.<\/p>\n

This bypass involves stripping specific NTLMSSP flags (Negotiate Always Sign, Negotiate Seal, Negotiate Sign) while preserving the Message Integrity Code. This technique enables attackers to bypass multiple security controls simultaneously.<\/p>\n

Expanded Attack Surface Beyond SMB Signing<\/strong><\/h2>\n

The vulnerability extends beyond conventional SMB-to-SMB relays. DepthSecurity researchers confirmed successful attacks against ADCS enrollment services, MSSQL databases, and WinRMS through cross-protocol relay techniques.<\/p>\n

Even more concerning, SMB-to-LDAPS reflection attacks allow attackers to manipulate Active Directory objects with SYSTEM privileges<\/a> directly.<\/p>\n

Enabling group membership modification and credential harvesting through DCSync operations.<\/p>\n

RPC-based relay attempts revealed session key encryption requirements similar to those of SMB signing, demonstrating that fundamental Windows<\/a> authentication mechanisms compound the vulnerability\u2019s impact.<\/p>\n

\"RPC
RPC Reflection Authentication (Source: DepthSecurity)<\/figcaption><\/figure>\n

Attackers successfully authenticate to RPC services but encounter access controls on subsequent operations, suggesting potential avenues for exploitation via Net-NTLMv1 authentication.<\/p>\n

According to<\/a> DepthSecurity, organizations must immediately apply June 2025 Windows security updates as the primary mitigation. Additionally, enable signing and channel binding enforcement across all protocols, not limited to SMB.<\/p>\n

\"SMB
SMB Relay with Signing (Source: DepthSecurity)<\/figcaption><\/figure>\n

Reconfiguring Active Directory DNS zone access control lists to restrict Authenticated Users from creating DNS records significantly reduces the feasibility of exploitation.<\/p>\n

Security teams must prioritize the swift patching of NTLM coercion techniques and perform thorough audits of NTLM relay attack methods throughout their infrastructure.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Windows SMB Client Vulnerability Enables Attacker to Own Active Directory<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Windows SMB Client Vulnerability Enables Attacker to Own Active Directory A critical vulnerability in Windows SMB client authentication that enables attackers to compromise Active Directory environments through NTLM reflection exploitation. Classified as an improper access control vulnerability, this vulnerability allows authorized attackers to escalate privileges via carefully orchestrated authentication relay attacks over network connections. Seven […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648,395],"tags":[130],"class_list":["post-9976","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","category-windows","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9976"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9976"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9976\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9976"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9976"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9976"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}