CVE-2025-33053
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code by exploiting external control of file names or paths in Internet Shortcut Files. Attackers can deliver malicious shortcuts over networks to compromise systems. Affects Windows systems with WebDAV client functionality enabled.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Initial foothold for targeted attacks, credential harvesting, lateral movement within networks, and malware deployment.
If Mitigated
Limited impact with proper network segmentation, application whitelisting, and user awareness training preventing successful exploitation.
🎯 Exploit Status
Actively exploited by Stealth Falcon APT group; requires user interaction but has low technical barrier for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33053
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify patch installation via Windows Update history.
🔧 Temporary Workarounds
Disable WebDAV client
windowsPrevents exploitation by disabling the vulnerable WebDAV client functionality
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WebClient" /v Start /t REG_DWORD /d 4 /f
Block .url and .lnk files
allPrevent delivery of malicious shortcut files via email or web
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized programs
- Use network segmentation to isolate systems and restrict lateral movement
🔍 How to Verify
Check if Vulnerable:
Check Windows Update history for missing security patches related to CVE-2025-33053Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB patch is installed via 'wmic qfe list' or Windows Update history📡 Detection & Monitoring
Log Indicators:
- Unusual WebDAV client activity
- Creation of suspicious .url or .lnk files
- Process creation from shortcut files
Network Indicators:
- WebDAV connections to suspicious external IPs
- HTTP requests for .url files from untrusted sources
SIEM Query:
Process Creation where (CommandLine contains ".url" OR CommandLine contains ".lnk") AND ParentImage contains "explorer.exe"🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33053
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
- https://therecord.media/microsoft-cisa-zero-day-turkish-defense-org
- https://www.bleepingcomputer.com/news/security/stealth-falcon-hackers-exploited-windows-webdav-zero-day-to-drop-malware/
- https://www.darkreading.com/vulnerabilities-threats/stealth-falcon-apt-exploits-microsoft-rce-zero-day-mideast
- https://www.theregister.com/2025/06/10/microsoft_patch_tuesday_june/
- https://www.vicarius.io/vsociety/posts/cve-2025-33053-detection-script-remote-code-execution-vulnerability-in-microsoft-webdav
- https://www.vicarius.io/vsociety/posts/cve-2025-33053-mitigation-script-remote-code-execution-vulnerability-in-microsoft-webdav
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33053
