CVE-2025-55234
Published: 09 September 2025
Summary
CVE-2025-55234 is a high-severity Improper Authentication (CWE-287) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Name Resolution Poisoning and SMB Relay (T1557.001); ranked in the top 44.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates configuration of SMB Server hardening measures like signing and EPA to directly prevent relay attacks when properly implemented.
Ensures session authenticity protections that counter SMB relay attacks by binding authentication to the communications channel, as provided by SMB signing and EPA.
Supports generation of audit records for SMB authentication events, enabling assessment of hardening compatibility and detection of relay risks as released in the CVE updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables SMB relay attacks via improper authentication (CWE-287), allowing credential interception/relay for privilege escalation on target systems.
NVD Description
SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks. The SMB Server already supports mechanisms for…
more
hardening against relay attacks: SMB Server signing SMB Server Extended Protection for Authentication (EPA) Microsoft is releasing this CVE to provide customers with audit capabilities to help them to assess their environment and to identify any potential device or software incompatibility issues before deploying SMB Server hardening measures that protect against relay attacks. If you have not already enabled SMB Server hardening measures, we advise customers to take the following actions to be protected from these relay attacks: Assess your environment by utilizing the audit capabilities that we are exposing in the September 2025 security updates. See Support for Audit Events to deploy SMB Server Hardening—SMB Server Signing & SMB Server EPA. Adopt appropriate SMB Server hardening measures.
Deeper analysisAI
CVE-2025-55234 is a vulnerability in the Microsoft SMB Server that renders it susceptible to relay attacks when not properly configured with hardening measures. The issue stems from improper authentication mechanisms, classified under CWE-287 (Improper Authentication), and affects SMB Servers in Microsoft systems, particularly those without enabled protections like SMB Server signing or SMB Server Extended Protection for Authentication (EPA). Published on September 9, 2025, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its high severity due to potential for significant confidentiality, integrity, and availability impacts.
An unauthenticated attacker on the network can exploit this vulnerability by tricking a user into interacting with a malicious payload, such as clicking a link or opening a file that initiates an SMB connection. Successful exploitation enables relay attacks, where the attacker intercepts and relays the user's credentials to other systems, potentially subjecting users to elevation of privilege attacks on targeted machines.
Microsoft advisories emphasize that no patch is required, as the SMB Server already supports hardening mechanisms; instead, the CVE provides audit capabilities in the September 2025 security updates to help assess environments for compatibility before deployment. Security practitioners should utilize these audit events—detailed in the "Support for Audit Events to deploy SMB Server Hardening—SMB Server Signing & SMB Server EPA"—to evaluate their setup, then enable SMB Server signing and EPA to mitigate relay risks. Additional resources include the MSRC update guide and Vicarius detection/mitigation scripts.
Details
- CWE(s)