Microsoft Patch Tuesday Covers WebDAV Flaw Marked as ‘Already Exploited’

Microsoft on Tuesday pushed out patches for at least 66 security defects across the Windows ecosystem and called urgent attention to a WebDAV remote code execution bug that’s already been exploited in the wild.

The WebDAV (Web Distributed Authoring and Versioning) flaw, marked as ‘important’ with a CVSS score of 8.8/10, allows browser-based drive-by downloads if a target clicks on a rigged website.

“External control of file name or path in WebDAV allows an unauthorized attacker to execute code over a network,” Microsoft said in a barebones bulletin.

As is customary, Redmond has not disclosed who is abusing the CVE-2025-33053 software defect or whether exploitation is widespread. The company has not provided IOCs (indicators of compromise) or other telemetry to help defenders hunt for signs of infections.

Check Point Software, the company credited with reporting the bug, released a separate advisory warning that successful exploitation could allow ...