BURSTA critical zero-day vulnerability affecting Windows systems that allows attackers to achieve privilege escalation through a novel Reflective Kerberos Relay Attack.
The vulnerability, designated CVE-2025-33073, was patched by Microsoft on June 10, 2025, as part of their monthly Patch Tuesday security updates.
Microsoft has assigned this vulnerability a CVSS score of 9.8 (Critical) due to its low attack complexity and high impact on confidentiality, integrity, and availability.
Reflective Kerberos Relay Attack
RedTeam Pentesting reports that the Reflective Kerberos Relay Attack represents a significant evolution in authentication relay techniques, bypassing the NTLM reflection restrictions that have been in place since 2008.
The attack begins with authentication coercion, where attackers use techniques to force a Windows host to authenticate back to their system via SMB using the computer account’s credentials.
The core technical challenge involves decoupling the coercion target and Service Principal Name (SPN) using the CredUnmarshalTargetInfo/CREDENTIAL_TARGET_INFORMATIONW trick, originally pioneered by James Forshaw from Google Project Zero.
This technique allows attackers to register a hostname pointing to their attack system while causing Kerberos tickets to be issued for an entirely different host.
Researchers demonstrated the attack using their wspcoerce tool with the following command structure:
The attack also requires bypassing NTLM prioritization since Windows defaults to NTLM when connecting to itself. Attackers must modify tools like krbrelayx to advertise no NTLM capability, forcing Kerberos authentication.
The vulnerability’s most concerning aspect is its unexpected privilege escalation capability.
When attackers relay the Kerberos ticket back to the originating host, instead of receiving a low-privileged session with computer account privileges, they obtain NT AUTHORITY\SYSTEM privileges sufficient for remote code execution.
Researchers theorize this occurs due to Windows’ safeguard for local loopback authentication, which links Kerberos tickets to their originating processes.
The system appears confused by the attack scenario where a high-privileged NT AUTHORITY\SYSTEM account performs authentication with low-privileged computer account credentials.
This results in the inclusion of KERB_AD_RESTRICTION_ENTRY and KERB_LOCAL structures that link the ticket to the original process, ultimately inheriting NT AUTHORITY\SYSTEM privileges.
| Risk Factors | Details |
| Affected Products | Windows 10 (all versions), Windows 11 (pre-24H2), Windows Server 2019–2025 |
| Impact | Privilege escalation |
| Exploit Prerequisites | 1. Authentication coercion via SMB 2. Ability to relay Kerberos tickets to vulnerable SMB implementations |
| CVSS 3.1 Score | 9.8 (Critical) |
Mitigation Strategies
The vulnerability affects Windows 10, 11, and Server versions 2019 through 2025, with no known immune versions in the pre-patch environment.
However, successful exploitation requires both authentication coercion and SMB relaying capabilities. SMB coercion works reliably against all clients and servers older than 23H2, while newer server versions may have varying susceptibility.
SMB relaying is prevented when server-side SMB signing is enforced. While this protection is enabled by default on Windows 11 24H2 clients and domain controllers, it remains optional on most servers.
Organizations should prioritize enabling server-side SMB signing and other security features like Channel Binding and EPA, as these mitigations prove crucial for both NTLM and Kerberos security.
The discovery underscores the evolving threat landscape around Kerberos-based attacks and emphasizes that security measures developed for NTLM remain equally important for Kerberos environments.
Live Credential Theft Attack Unmask & Instant Defense – Free Webinar
The post Windows SMB Client Zero-Day Vulnerability Exploited Using Reflective Kerberos Relay Attack appeared first on Cyber Security News.