What the vulnerability does
01Description
Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.
CVE-2025-33073
HIGH
CVE-2025-33073: Windows SMB Client Elevation of Privilege Vulnerability
CVSS base score
8.8/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CISA mandated remediation
02CISA Required Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Key dates
03Disclosure timeline
June 10, 2025
CVE published
February 26, 2026
Record updated
External resources
04References
NVD — National Vulnerability Database
https://nvd.nist.gov/vuln/detail/CVE-2025-33073
CWE — Common Weakness Enumeration
https://cwe.mitre.org/data/definitions/284.html
CISA KEV Reference
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-202…
CISA KEV Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-33073
Related vulnerabilities
05Related CVE
CVE-2026-47182 Frappe: Broken Access Control on Private Files
CVE-2023-25149 TimescaleDB has incorrect access control
CVE-2023-28907 A lack of access restrictions on internal memory regions
CVE-2023-25150 Document content of files can be obtained through Collabora for files of other users
CVE-2023-48303 Nextcloud Server admins can change authentication details of user configured external storage
