Microsoft is once again facing a serious security threat. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about active attacks on a vulnerability in the Windows SMB client.
This is a bug that affects millions of systems worldwide and is still being exploited despite a patch from Microsoft. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.
CISA thus confirms that malicious actors are actively exploiting the leak. The warning is part of a broader effort by the US government to encourage organizations to accelerate their patching policies and close critical security gaps before they lead to large-scale incidents.
Five new vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) has added a total of five new vulnerabilities to the KEV catalog after confirming that they are being actively exploited by cybercriminals. The additions concern vulnerabilities in products from Apple, Kentico Xperience, Microsoft, and Oracle, which together affect a wide range of business environments.
Among these vulnerabilities is the serious leak in the Microsoft Windows Server Message Block (SMB) client, registered as CVE-2025-33073, which is currently being actively exploited.
CISA warns that this vulnerability, with a CVSS score of 8.8, poses a high risk to organizations that have not yet updated their systems. The vulnerability affects the client side of the SMB protocol, an essential component used for file sharing and network access in virtually all Windows environments, reports The Register.
The flaw allows attackers to trick a Windows system into connecting to a malicious SMB server. Once that connection is established, the attack can be carried out remotely, giving the attacker elevated access privileges.
According to CISA, the threat stems from the fact that many systems have still not been updated despite a patch released by Microsoft in June 2025. The agency has therefore mandated all federal government agencies to install the update by November 10, in accordance with Binding Operational Directive 22-01.
Private organizations are also strongly advised to check their patch status and, if immediate updating is not possible, to take temporary measures. These include restricting SMB traffic, segmenting internal networks, and monitoring unusual outgoing traffic.