CVE-2025-33073

HIGH CISA KEV EPSS 99.1%

Published Jun 10, 20251y ago · Modified Jun 17, 20261w ago

8.8 CVSS 3.1

High

Find Similar

Published Jun 10, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

KEV Listed Oct 20, 2025 8mo ago

KEV Due Nov 10, 2025 232d overdue

Description

Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.

CVSS Details

Base Score

8.8

Exploitability

2.8

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

CISA Known Exploited Overdue 232d

Added: Oct 20, 2025
Due: Nov 10, 2025

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability

99.1% percentile

Exploit & Patch Status

Actively Exploited (KEV)

No Patch Available

Weaknesses 1

CWE-284

Affected Products 21

Vendor	Product	Version	Range
microsoft	windows_10_1507	*	<10.0.10240.21034
microsoft	windows_10_1507	*	<10.0.10240.21034
microsoft	windows_10_1607	*	<10.0.14393.8148
microsoft	windows_10_1607	*	<10.0.14393.8148
microsoft	windows_10_1809	*	<10.0.17763.7434
microsoft	windows_10_1809	*	<10.0.17763.7434
microsoft	windows_10_21h2	*	<10.0.19044.5965
microsoft	windows_10_22h2	*	<10.0.19045.5965
microsoft	windows_11_22h2	*	<10.0.22621.5472
microsoft	windows_11_23h2	*	<10.0.22631.5472
microsoft	windows_11_24h2	*	<10.0.26100.4270
microsoft	windows_server_2008	*	any
microsoft	windows_server_2008	*	any
microsoft	windows_server_2008	r2	any
microsoft	windows_server_2012	*	any
microsoft	windows_server_2012	r2	any
microsoft	windows_server_2016	*	<10.0.14393.8148
microsoft	windows_server_2019	*	<10.0.17763.7434
microsoft	windows_server_2022	*	<10.0.20348.3745
microsoft	windows_server_2022_23h2	*	<10.0.25398.1665
microsoft	windows_server_2025	*	<10.0.26100.4270

References 4

msrc.microsoft.com https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073

Vendor Advisory
cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33073

US Government Resource
vicarius.io https://www.vicarius.io/vsociety/posts/cve-2025-33073-detection-script-improper-access-control-in-windows-smb-affects-microsoft-products

Third Party Advisory
vicarius.io https://www.vicarius.io/vsociety/posts/cve-2025-33073-mitigation-script-improper-access-control-in-windows-smb-affects-microsoft-products

MitigationThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.