Microsoft Windows SMB Client Flaw Could Let Hackers Gain Full System Control

Cybersecurity officials are sounding the alarm as CISA flags a critical Windows SMB client flaw that hackers are actively exploiting. The vulnerability, which allows attackers to gain system-level control, underscores the urgent need for organizations to patch their systems before it’s too late.

The Windows SMB (Server Message Block) client is a network protocol component in Windows that enables systems to communicate and share resources like files, printers, and serial ports over a network. It allows a Windows machine to connect to remote servers or devices that support SMB, which facilitates access to shared folders and services. The client plays a crucial role in enterprise environments but can also be a target for cyberattacks if vulnerabilities are present, especially when exposed to untrusted networks or misconfigured.

How do attackers exploit the Windows SMB client flaw?

CISA added this 8.8-rated vulnerability (tracked as CVE-2025-33073) to its Known Exploited Vulnerabilities (KEV) catalog on October 20. It affects Windows 11, Windows 10, and all supported versions of Windows Server.

Microsoft originally addressed the Windows SMB client vulnerability with the June 2025 Patch Tuesday updates. Attackers can trick a victim’s machine into connecting to a malicious SMB server, which then compromises the protocol and potentially elevates privileges within the enterprise network.

“The attacker could convince a victim to connect to an attacker-controlled malicious application (for example, SMB) server. Upon connecting, the malicious server could compromise the protocol,” Microsoft explained. “To exploit this vulnerability, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate. This could result in elevation of privilege.”

Steps to mitigate risk and secure networks

CISA says that federal agencies are required to patch or remove affected systems by November 10 under Binding Operational Directive 22-01. Although the directive targets U.S. government entities, CISA urges all organizations to patch immediately due to active exploitation.

CISA recommends that the June 2025 security update should be fully deployed across all systems to patch the Windows SMB vulnerability. It’s also important to monitor network traffic for any unusual outbound SMB connections, which could indicate attempts to exploit the vulnerability or unauthorized access.

Additionally, administrators should restrict SMB access from untrusted or external networks to limit the potential attack surface, especially in environments where SMB is not required for external communication.