Skip to content
Menu
IT-DRAFTS
  • About
  • My Statistics at Microsoft Q&A
  • Privacy policy
IT-DRAFTS
August 6, 2025August 6, 2025

Reflection Relay: Never Happened Before, and Here We Go Again (CVE-2025-33073)

Hi,

so today we will start from the end, yea… TL;DR: NTLM and Kerberos relays just got a spicy new variant. Microsoft “fixed” it back in 2008. And yet… it’s 2025, and attackers are relaying back to localhost like it’s a LAN party. Again. Let’s break it down.

☠️ Relay: The Classic That Won’t Die

If you’ve worked with Active Directory even once in your life, you’ve probably heard of NTLM relay. If you haven’t—congrats, your blood pressure is still in check.

But beyond NTLM, there’s the newer, sassier cousin: Kerberos relay. And no, we’re not talking just about SMB anymore. We’re talking HTTP, RPC, MSSQL, LDAP, WinRM—you name it.

Still think “Relay = SMB attack”? Welcome to 2025, grab a chair and a hardened endpoint. Relay is now a buffet of protocols—and attackers are very, very hungry.

🔁 What Is Reflective Relay?

Let’s rewind to MS08-068—Microsoft’s original “no, you can’t attack yourself” patch. The whole point was to block a system from relaying its own authentication back at itself via NTLM.

The good old days of LNK files dropped on shared SMB folders were fading. You couldn’t just click a poisoned shortcut and elevate to SYSTEM via reflective relay anymore.

Until now.

🔍 Enter CVE-2025-33073: Ghost of Relays Past

Vulnerability: Improper handling of reflective NTLM and Kerberos traffic
Disclosure: June 11, 2025
MSRC: CVE-2025-33073

Researchers finally broke the ancient seal. Turns out, you can trick a Windows machine into relaying its own authentication tokens—again. Why? Because someone at Microsoft probably thought localhost was immune to DNS shenanigans. Spoiler: it’s not.

The exploit abuses crafted DNS hostnames and authentication coercion via SMB. Think:

nginx
fileserver1UWhRCAAAAAAAAAAUAAAAAAAAAAAAAAAAAAAAAfileserversBAAA

Yes, that’s a real hostname. No, it’s not a typo. Yes, your DNS server will swallow it without blinking.

🧪 What Changed Since 2021?

Actually, everything started with a Google Project Zero paper back in 2021. It laid out the blueprint for Kerberos relay, but at the time, it was theoretical—no exploit, just theory.

Fast-forward to June 2025, and two teams drop bombshells:

  1. RedTeam Pentesting explains how reflective Kerberos relay works in the real world. 🔗

  2. Synacktiv follows up with a juicy NTLM flavor of the same thing. 🔗

Now we’ve got working PoCs, attack chains, and a reason to recheck every audit we did since 2008.

🔧 Attack Chain, Simplified

  1. User opens a malicious LNK file or coerced request via HTTP/SMB/LDAP.

  2. Their own machine sends credentials via NTLM or Kerberos.

  3. The attacker tricks the machine to authenticate to itself using a poisoned hostname.

  4. Boom: privilege escalation, token theft, or remote command execution. Take your pick.

🔥 Why It Matters (a Lot)

  • Firewall rules? Overwritten.

  • NTLM restrictions? Bypassed.

  • Domain controllers? Potentially exposed.

  • Logged events? Mostly silent unless you dig deep.

Remember: it’s not just one protocol. It’s the entire auth stack exposed. And Microsoft admits: the protections against self-auth aren’t universal.

🛡 How to Defend (for Real This Time)

Microsoft’s “fix” in 2008 didn’t age well. But you can still harden things with modern tools:

✅ Immediate Actions

  • Block ms-smb and ms-ldap outbound to self via firewall rules.

  • Enable Extended Protection for Authentication (EPA) across endpoints.

  • Disable NTLM where possible—yes, it’s painful. But necessary.

🔍 Detection

  • Monitor for unusual DNS requests with long, binary-looking subdomains.

  • Look for Kerberos AS-REQs to local IPs.

  • Review your logs for loopback authentication traffic.

🔧 Bonus Hardening

  • Block C$, ADMIN$, and LNK auto-execution in GPOs.

  • Audit DNS for weird hostnames that shouldn’t resolve.

  • Consider ripping out legacy protocols like SMBv1 if you haven’t already. (Seriously.)

🤡 A Final Note on the Absurd

Microsoft: “We fixed that in 2008.”

Hackers in 2025: “Cute. Watch this.”

🔥 Sources You Should Actually Read

  • Google Project Zero — 2021 Kerberos Relay

  • CVE-2025-33073 MSRC

  • RedTeam Pentesting Breakdown

  • Synacktiv Deep Dive

So yeah. Reflective Relay is back. And this time, it brought a Kerberos ticket.

Categories

ActiveDirectory AI Azure AzureAI azurefirewall azurepolicy azuresecurity cloudarchitecture cloudnetworking CloudSecurity Copilot Cybersecurity DataProtection DataSecurity DevOps devsecops enterpriseai Entra entraID GDPRcompliance Howto hybridcloud Innovation licensing Microsoft Microsoft365 Microsoft AI MicrosoftAzure microsoftcloud Microsoft Product microsoftsecurity MicrosoftSentinel OfficeSuite PrivacyRights ProductivityTools sam Security SoftwareUpdate TechNews threatintelligence updates Windows Windows10 Windows11 zeroTrust

Archives

  • August 2025
  • July 2025
  • June 2025
  • May 2025
  • February 2025
  • October 2024
  • September 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
No comments to show.

Recent Comments

Recent Posts

  • The Technical Foundation of Multi-Agent Copilot Systems and Secure AI Infrastructure in Microsoft Azure
  • Reflection Relay: Never Happened Before, and Here We Go Again (CVE-2025-33073)
  • Ctrl+Alt+Del: Born a Crutch, Raised to Be a Ritual
  • Azure Firewall Selective Logging: Finally Logging Smart, Not Everything
  • Upgrade to Windows 11 at Scale — the Windows Autopatch Way %)
©2025 IT-DRAFTS | Powered by WordPress and Superb Themes!