O RLY CYBER

(praetorian.com) CVE-2025-33073: NTLM Reflection Resurrects One-Hop Path to Active Directory Domain Compromise

EXECUTIVE SUMMARY
CVE-2025-33073 enables NTLM reflection attacks on unpatched Windows systems without SMB signing, allowing any authenticated domain user to achieve SYSTEM-level RCE. Combined with unconstrained delegation, this vulnerability permits full domain compromise via DCSync. Immediate patching, enabling SMB signing on delegation hosts, and auditing unconstrained delegation are critical.

TECHNICAL SUMMARY
CVE-2025-33073 exploits Windows SMB client handling of marshaled DNS target info to trigger local NTLM authentication. Attackers craft malicious DNS records via LDAP, coercing SMB clients into NTLM reflection. Tools like RelayKing identify unpatched targets using DCERPC UBR queries. On hosts with unconstrained delegation, PrinterBug coerces DC authentication, caching its TGT in LSASS. Rubeus captures the TGT, enabling secretsdump.py to extract krbtgt hashes for Golden Ticket creation and domain compromise. SMB signing on DCs does not mitigate outbound coercion, necessitating hardening of one-hop systems.

Source: https://www.praetorian.com/blog/cve-2025-33073-ntlm-reflection-one-hop/

#Cybersecurity #ThreatIntel

Reflecting on Your Tier Model: CVE-2025-33073 and the One-Hop Problem

CVE-2025-33073 gives any domain user SYSTEM on unpatched hosts. See how unconstrained delegation turns one hop into full domain compromise.

Praetorian
Mar 27 at 4:04amWeb