CVE-2025-33053

Overview

CVE-2025-33053 is a zero-day remote code execution vulnerability in Windows Web Distributed Authoring and Versioning (WebDAV). It was actively exploited in the wild by the Stealth Falcon APT group and patched by Microsoft in June 2025.

This vulnerability allows remote attackers to execute arbitrary code on affected systems by tricking users into clicking on a specially crafted WebDAV URL.

Technical Details

• Vulnerability Type: Remote Code Execution (RCE)
• Affected Component: Windows WebDAV
• Attack Vector: Remote (via malicious WebDAV URL)
• Impact: Allows an attacker to execute arbitrary code on the affected system
• Exploitation: Exploited by the Stealth Falcon APT group in zero-day attacks
• Patch Date: June 2025 (Patch Tuesday)

Exploitation

CVE-2025-33053 was exploited in the wild by the Stealth Falcon APT group. The attack involved tricking users into clicking on a specially crafted WebDAV URL, which would then execute arbitrary code on the victim's system.

This vulnerability was used in targeted attacks, allowing the APT group to gain a foothold on compromised systems and deploy additional malware or tools for espionage purposes.

Affected Systems

• Windows 10
• Windows 11
• Windows Server (multiple versions)

Patch Information

Microsoft released security updates for this vulnerability as part of the June 2025 Patch Tuesday. Users and administrators are strongly advised to apply the update immediately to prevent exploitation.

For systems that cannot be patched, Microsoft recommends disabling the WebDAV service if it is not required, and exercising caution when clicking on untrusted URLs.

Mitigation

• Apply the latest security updates from Microsoft.
• Disable the WebDAV service if it is not needed.
• Exercise caution when clicking on unknown or untrusted URLs.
• Use modern endpoint protection solutions to detect and block exploit attempts.

References