Security Operations
NTLM Reflection Attack Strikes Again
A three-month old flaw in a network protocol for file sharing used by Microsoft is under active exploitation, warns the U.S. Cybersecurity and Infrastructure Security Agency.
See Also: Neutralizing the Risk of Compromised Credentials
CISA on Monday gave federal agencies 21 days to apply patches for CVE-2025-33073, an improper access control vulnerability residing on the client side of Server Message Block messages.
Microsoft in June published a patch for the vulnerability, warning that attackers could use the CVSS 8.8 flaw to obtain system privileges. An attacker could send a script forcing a victim machine to connect to an attacker-controlled server and authenticate to it. The flaw’s exploitation bypasses mitigations Microsoft has built over the years to prevent NTLM reflection attacks, although it fails in networks that enforce SMB signing, wrote researchers from Synacktiv in analysis published earlier this year.
NTLM is Microsoft’s legacy authentication protocol, introduced in 1993 as “New Technology LAN Manager.” The computing giant is deprecating NTLM in favor of the more secure Kerberos authentication protocol. NTLM persists, whether because its hardcoded into servers or because it’s still the authentication protocol for Windows peer-to-peer workgroups. Synacktiv researchers discovered they could exploit CVE-2025-33073 despite Kerberos because exploitation of the flaw relies on a script forcing a local machine into authenticating to itself, which it does using NTLM.
The script tricks victim machines into a local NTLM location by forcing it to resolve a DNS record such as localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAAM. The computer strips everything after localhost, meaning that NTLM will treat the authentication as local, “irrespective of the machine’s hostname,” Synacktiv wrote.
Attackers must then coerce the Local Security Authority Subsystem Service on a victim computer – now in possession of a local NTLM authentication token – into supplying the token to an attacker-controlled server.
The CISA mandate applies only to U.S. federal agencies, but the agency advises the quick remediation by everyone of any flaw added to its Known Exploited Vulnerabilities catalog.
With reporting by Information Security Media Group’s David Perera in Northern Virginia.
