CriticalPublic exploit

Windows SMB Server Relay-Based Elevation of Privilege

IdentifiersCVE-2025-55234CWE-287· Improper Authentication

CVE-2025-55234 is an elevation of privilege vulnerability in the Windows SMB Server. According to the provided content, the issue arises when the SMB Server is susceptible to relay attacks depending on configuration, specifically when key hardening measures such as SMB Server signing and Extended Protection for Authentication (EPA) are not enabled. Multiple sources in the content characterize the flaw as improper authentication handling or insufficient validation of the authentication context during SMB session establishment, allowing an attacker to relay authentication traffic against a target host. Microsoft released this CVE together with audit capabilities to help customers identify compatibility issues before enforcing SMB hardening measures.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker with network access to conduct SMB relay/replay-style attacks against a misconfigured SMB Server and cause elevation of privilege. The content indicates this can be used to gain additional privileges on the target host and may be chainable with other techniques for broader compromise, including lateral movement, strengthening NTLM relay operations, and potentially contributing to code execution or downstream Active Directory compromise in enterprise environments.

Mitigation

If you can’t patch tonight, do this now.

If immediate full remediation cannot be completed, assess exposure using the audit capabilities introduced by Microsoft in the September 2025 updates and prioritize systems where SMB signing and EPA are not enforced. Reduce attack surface by limiting network access to SMB services, especially from untrusted or less-trusted segments, and monitor for suspicious SMB relay/authentication activity. The content explicitly advises enabling SMB Server signing and/or SMB Server EPA as the primary hardening measures against these relay attacks.

Remediation

Patch, then assume compromise.

Apply Microsoft's September 2025 security updates associated with CVE-2025-55234 and adopt SMB Server hardening measures. The provided content specifically identifies SMB Server signing and SMB Server Extended Protection for Authentication (EPA) as the relevant protections. Microsoft also introduced audit capabilities in the September 2025 updates so administrators can assess their environment and identify device or software incompatibilities before enforcing these protections. Validate that affected SMB servers are patched and that signing/EPA are enabled where supported.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app

CVE-2025-55234MaturityPoCVerified exploit

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-55234, a vulnerability in the SMB protocol on Windows systems that allows for relay attacks leading to elevation of privilege. The repository contains a README.md with a detailed explanation of the vulnerability, its impact, and a PowerShell script demonstrating the attack. The script enumerates SMB shares on a specified target IP, captures session information, and executes an SMB relay attack to impersonate users and gain elevated privileges. The exploit is intended for educational and defensive purposes, helping security professionals test and secure their environments. The only code present is in the README.md as a PowerShell snippet; there are no standalone scripts or binaries. The main fingerprintable endpoint is the target IP address (192.168.1.10) used in the example. The exploit is a PoC and not weaponized, requiring manual configuration and execution.

mrk336Disclosed Sep 13, 2025powershellnetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationWindows 10 1507operating_system

Microsoft CorporationWindows 10 1607operating_system

Microsoft CorporationWindows 10 1809operating_system

Microsoft CorporationWindows 10 21h2operating_system

Microsoft CorporationWindows 10 22h2operating_system

Microsoft CorporationWindows 11 22h2operating_system

Microsoft CorporationWindows 11 23h2operating_system

Microsoft CorporationWindows 11 24h2operating_system

Microsoft CorporationWindows Server 2008operating_system

Microsoft CorporationWindows Server 2008 R2operating_system

Microsoft CorporationWindows Server 2008 Sp2operating_system

Microsoft CorporationWindows Server 2012operating_system

Microsoft CorporationWindows Server 2012 R2operating_system

Microsoft CorporationWindows Server 2016operating_system

Microsoft CorporationWindows Server 2019operating_system

Microsoft CorporationWindows Server 2022operating_system

Microsoft CorporationWindows Server 2022 23h2operating_system

Microsoft CorporationWindows Server 2025operating_system

Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

25 SOURCESView more in app

breakglass intelNews

Mar 15, 2026

SalatStealer's New Trick: Using TON Blockchain DNS to Make C2 Takedowns Impossible - Breakglass Intelligence - Breakglass Intelligence

A CVE identifier referenced in a fake PoC repository used as a malware delivery lure for SalatStealer; the content gives no details about the actual vulnerability.

expel blogNews

Jan 14, 2026

Patch Tuesday: January 2026 (Expel’s version) | Expel

A Windows SMB elevation of privilege vulnerability reported as exploited.

securelistNews

Dec 23, 2025

Webrat, disguised as exploits, is spreading via GitHub repositories | Securelist

A CVE identifier used as a lure label for a malicious GitHub PoC repository associated with Webrat distribution; the article provides no details on the underlying flaw.

help net securityNews

Dec 23, 2025

Budding infosec pros and aspiring cyber crooks targeted with fake PoC exploits

An elevation of privilege flaw in Windows SMB server.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-55234

NVD

nvd.nist.gov/vuln/detail/CVE-2025-55234

MITRE CWE · CWE-287

Improper Authentication

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55234

vicarius.io

vicarius.io/vsociety/posts/cve-2025-55234-detection-script-smb-server-vulnerability-affecting-microsoft-systems

vicarius.io

vicarius.io/vsociety/posts/cve-2025-55234-mitigation-script-smb-server-vulnerability-affecting-microsoft-systems