Threat actors are once again proving that old vulnerabilities are their favorite weapon. A high‑severity flaw in Microsoft's Windows SMB client, patched during the June 2025 Patch Tuesday, is now being actively exploited in the wild.

The bug, tracked as CVE‑2025‑33073, impacts Windows 10, Windows 11 (up to version 24H2), and all supported versions of Windows Server. If left unpatched, attackers can exploit it to gain SYSTEM privileges, enabling lateral movement and deeper compromise of enterprise networks.

Despite Microsoft's fix being available for months, attackers are successfully targeting organizations that have not applied the update. This is a textbook case of why patching annually — or even every six months — is not enough.

Why Delayed Patching Is Dangerous

  • Attackers move fast. Once a patch is released, threat actors immediately reverse‑engineer it to understand the flaw and weaponize it. The longer you delay, the more time they have to automate and scale attacks.
  • Exploits spread quickly. Proof‑of‑concept code often appears within days of a patch release. By the time you're waiting for a quarterly or annual cycle, attackers have already industrialized the exploit.
  • Privilege escalation = bigger blast radius. Vulnerabilities like CVE‑2025‑33073 don't just compromise one endpoint — they give attackers SYSTEM‑level access, which can be leveraged to move laterally, harvest credentials, and compromise critical infrastructure.
  • Business continuity is at stake. Delayed patching doesn't just increase risk; it increases the potential cost of downtime, incident response, and reputational damage.

In short: patching delays turn known vulnerabilities into guaranteed entry points.

What a Solid Vulnerability Management Policy Should Include

A strong vulnerability management program goes beyond "apply patches when you can." It should include:

  • Roles and Responsibilities — Clear ownership across IT, security, and leadership.
  • Asset Inventory and Classification — Know what you have, where it lives, and how critical it is.
  • Vulnerability Identification (Scanning) — Continuous scanning of endpoints, servers, and cloud assets.
  • Vulnerability Assessment and Prioritization — Rank by severity, exploitability, and business impact.
  • Remediation and Mitigation — Apply patches quickly; use compensating controls when patching isn't possible.
  • Exceptions and Risk Acceptance — Document and formally approve exceptions.
  • Reporting and Metrics — Track time‑to‑patch, remediation rates, and exposure windows.
  • Policy Review and Compliance — Regularly update policies to align with evolving threats and regulations.

Final Thought

The exploitation of CVE‑2025‑33073 is a reminder that patching is not optional, and it's not occasional. Threat actors thrive on organizations that delay. A disciplined vulnerability management program is the difference between resilience and headlines.

👉 At Actionable Security, our vCISO Advisory services work with you to design and implement a vulnerability management policy that fits your business. From defining roles and responsibilities to building patch cadence discipline, we help you stay ahead of attackers — before they turn old bugs into new breaches.

#PatchTuesdayOrBust #PatchCadenceMatters

Originally published at https://actionablesec.com on October 22, 2025.