What happened?
Back in June 2025, Microsoft released a critical security update for a vulnerability in the Windows Server Message Block (SMB) client. This vulnerability, tracked as CVE-2025-330731, is rated 8.8 on the Common Vulnerability Scoring System (CVSS), and considered high severity as it affects all supported versions of Windows 10, Windows 11 (up to and including 24H2), and Windows Server.
The flaw allowed attackers to escalate privileges to SYSTEM-level by tricking a victim's device into connecting to a malicious SMB server configured by the attackers.
Despite the release of a patch four months ago, many systems still remain unprotected, with the Cybersecurity and Infrastructure Security Agency (CISA) now adding this vulnerability to their Known Exploited Vulnerabilities (KEV) Catalog; as such, Federal agencies have been given a strict deadline to patch this by 10 November 2025.
So what?
The root cause of this vulnerability is an improper access control issue in the SMB protocol; the attack vector typically involves coercing a Windows client to initiate a connection with an attacker-controlled server, usually by way of a specially crafted script or application. Once this connection has been established, the threat actor can trigger the exploit remotely, gaining elevated access (and through this, potentially full control) over the compromised device.
The vulnerability re-opens a class of attacks Microsoft has spent years mitigating; using a technique called NTLM relay bypass, this coerces a target into authenticating to a malicious SMB server and reflecting those credentials back for elevated access. On networks where SMB signing is disabled, the flaw becomes authenticated remote code execution as SYSTEM.
If a threat actor successfully gains SYSTEM-level access - the highest level of Windows privileges - this could enable them to bypass security controls, facilitating further deployment of malware, create new administrator accounts, or allowing them to move laterally across the network.
What should I do?
Recommendations to mitigate this threat include:
- Apply the latest Microsoft Patch - ensure all Windows 10, Windows 11, and Windows Server systems are updated with the June 2025 Patch Tuesday release, verifying patch compliance across your digital estate while prioritising any devices that can access networked resources.
- Restrict SMB access - considering limiting outbound SMB connections to trusted servers only, while segmenting internal networks to reduce the potential risk of lateral movement in the event of a compromise.
- Monitor for suspicious activity - network traffic logs should be regularly reviewed for any unusual outbound SMB traffic or signs of unauthorised connections or privilege escalation attempts.
- Continuous vulnerability management - regularly scan for missing patches and validate exploitability across your environment; it may be necessary to engage with specialist firms to conduct offensive security testing, ensuring potential attack vectors are identified and remediated promptly.
- User awareness - educate users on the risks of running unknown scripts or connecting to unfamiliar servers, and reinforce policies around safe network practices.
While ongoing vigilance and user education are cornerstones when it comes to bolstering security against evolving threats, immediate patching is the best method to protect against this specific vulnerability. In the event patches cannot be applied, network segmentation and hardening techniques should be employed to minimise the risk of a threat actor gaining a leverageable foothold.