You can find the CTFTime event at

ctftime.org/event/2951

That's correct. We assumed that you are pulling security updates from Red Hat and therefore either rely on their handling of CVEs or follow the bug tracker or mailing lists yourselves. You can simply apply the fix that was published by Ghostscript earlier this year.

Thanks for the hint! However, we think this is a systemic problem that should be fixed as close to the source as possible, especially since the upstream distribution is a commercial one and patches are available.

Disclaimer: We did not discover this vulnerability (credits go to zhutyra🎉), we're just wondering why we can still exploit these vulnerabilities in pentests on patched systems 🤷

We received no response on the RHEL bug tracker:
bugzilla.redhat.com/show_bug.cgi...

This is neither the first, nor the second time that we can't get distros to apply upstream fixes for publicly disclosed RCEs with POCs available in Ghostscript.

x.com/RedTeamPT/st...

Red Hat is aware, but they chose not to fix it. They also assigned a low CVSS score 5.5 because it is supposed to be "only exploitable locally" even though many web apps process uploaded documents using Ghostscript:

access.redhat.com/security/cve...

Check out our Impacket PR that adds SMB signing support (NTLM and Kerberos) to smbserver.py to allow Windows 11 clients that require signing by default to connect:

github.com/fortra/impac...

Another interesting tidbit was that the share path can contain environment variables, which are expanded by the host.

This could reveal system level variables, which could be interesting in some configurations.

If you already own the computer account, and want to coerce a logged-in admin, you can use an S4U2self impersonation ticket for that user.

So if Defender prevents you from executing code on a computer with an admin, just let it snitch on the admin with a relayable NTLMv2-Hash🤯

We then discovered, that if Defender is not allowed to delete the file, it will try to re-connect with the account that triggered the coercion.

Where do the credentials come from? Well, if the same user is also interactively logged on, Defender will simply steal their token 🥷🏼

By intentionally coercing a host to open a share with a virus (or an EICAR test file), Windows Defender re-connects with computer account credentials in order to quarantine/delete it 🦠😷

In May 2025 Sergey Bureev (@TCross) released his research on coercion using MS-EVEN, which by itself only uses NULL authentication, as the service runs as network restricted LOCAL SERVICE.

habr.com/ru/companies...

👀 We have also released a paper which really goes into the nitty-gritty for those who are interested 🕵️‍♀️:
www.redteam-pentesting.de/publications...

For those that only need a short overview, here's our advisory 🚨:
www.redteam-pentesting.de/advisories/r...

We are referencing CVE-2025-33073: Windows SMB Client Elevation of Privilege Vulnerability (when we sent the tweet, the title was not public, yet)

📰 We can recommend last week's blog post about Windows authentication coercion 🔑🔫 as preparation for the upcoming post:
blog.redteam-pentesting.de/2025/windows...