CVE-2025-33071: 
vulnerability analysis and mitigation

CVE-2025-33071 is a critical remote code execution (RCE) vulnerability affecting the Windows Kerberos Key Distribution Center (KDC) proxy service (KPSSVC). The vulnerability was disclosed on June 10, 2025, and received a CVSSv3.1 score of 8.1 (HIGH). This security flaw specifically impacts Windows Servers that have been configured as a Kerberos KDC Proxy Protocol server, notably not affecting standard domain controller configurations (Rapid7 Blog, Wiz Database).

The vulnerability exists as a use-after-free condition in the Windows KDC Proxy Service that allows an unauthorized attacker to execute arbitrary code over a network. The flaw specifically involves a cryptographic protocol vulnerability that can be exploited by sending crafted applications to affected systems. Successful exploitation requires the attacker to win a race condition, though Microsoft has assessed this vulnerability as 'Exploitation More Likely'. The CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, Wiz Database).

If successfully exploited, this vulnerability allows an unauthenticated attacker to execute arbitrary code on affected systems through the KDC proxy service. The impact is particularly significant for servers configured as Kerberos KDC Proxy Protocol servers, as these systems are often exposed to untrusted networks to facilitate Kerberos requests without requiring direct TCP connections from clients to domain controllers (Rapid7 Blog).

Microsoft has released security updates to address this vulnerability as part of their June 2025 Patch Tuesday updates. Organizations are advised to prioritize patching systems that are configured as Kerberos KDC Proxy Protocol servers. Since the vulnerability specifically affects servers with this configuration, which is not enabled by default on domain controllers, organizations should identify affected systems and apply patches accordingly (Wiz Database).