Microsoft Home windows WebDAV 0-Day RCE Vulnerability Actively Exploited in The Wild

A essential zero-day vulnerability in Microsoft Home windows, designated CVE-2025-33053, has been actively exploited by the superior persistent risk (APT) group Stealth Falcon.

The flaw, enabling distant code execution (RCE) by means of manipulation of a system’s working listing, was addressed by Microsoft in its June 2025 Patch Tuesday updates following CPR’s accountable disclosure. Beneath is a technical breakdown of the assault and its implications.

Discovery and Exploitation of CVE-2025-33053

In March 2025, CPR recognized an tried cyberattack concentrating on a Turkish protection firm.

The assault leveraged a malicious .url file, doubtless delivered through spear-phishing emails, to take advantage of CVE-2025-33053.

This vulnerability permits attackers to govern the working listing of reliable Home windows instruments, comparable to iediagcmd.exe, to execute malicious recordsdata hosted on an attacker-controlled WebDAV server.

The .url file, named TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url, redirected the execution of iediagcmd.exe to a malicious route.exe on a WebDAV server (summerartcamp[.]internet@ssl@443/DavWWWRootOSYxaOjr). 

By altering the working listing, the attacker ensured that Course of.Begin() prioritized the malicious executable over the reliable system32 model.

This novel method, a primary for executable-based WebDAV assaults, underscores Stealth Falcon’s progressive strategy to exploiting system utilities.

Stealth Falcon, also referred to as FruityArmor, has been lively since no less than 2012, concentrating on authorities and protection sectors within the Center East and Africa, together with Turkey, Qatar, Egypt, and Yemen.

In accordance with Examine Level report, the group is thought for buying zero-day exploits and deploying subtle, custom-built payloads.

Their newest marketing campaign introduces the Horus Agent, a {custom} implant constructed on the open-source Mythic C2 framework, named after the Egyptian falcon-headed god.

An infection Chain

1. A phishing electronic mail delivers a malicious .url file, usually inside a ZIP archive, disguised as a reliable doc.
2. This file exploits CVE-2025-33053, manipulating iediagcmd.exe to run a dangerous route.exe from a WebDAV server.
3. The assault deploys Horus Loader, a C++-based loader protected by Code Virtualizer, which evades detection by means of anti-analysis methods like guide mapping of kernel32.dll and ntdll.dll and scanning for 109 antivirus processes from 17 distributors.
4. It distracts victims by decrypting and displaying a decoy PDF, comparable to TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.
5. The loader makes use of IPfuscation to decode a payload from IPv6 addresses, injecting it into msedge.exe utilizing ZwAllocateVirtualMemory, ZwWriteVirtualMemory, and NtResumeThread.
6. The Horus Agent, the ultimate payload, employs {custom} OLLVM obfuscation with string encryption (shift cipher, -39) and management stream flattening, together with API hashing to resolve imports dynamically.
7. It communicates with command-and-control servers through AES-encrypted HTTP requests, secured with HMAC-SHA256, utilizing as much as 4 domains and a killswitch date of December 31, 2099.
8. Supported instructions embody system enumeration (survey) and stealthy shellcode injection (shinjectchunked).

The assault employs a multi-stage an infection chain involving Spayload, a C++ Mythic implant with superior capabilities.

Stealth Falcon’s toolkit consists of a number of undocumented instruments for post-compromise operations.

The DC Credential Dumper targets NTDS.dit, SAM, and SYSTEM recordsdata by accessing a digital disk at C:ProgramDatads_notifier_0.vhdx utilizing the DiscUtils library, compressing the recordsdata right into a ZIP archive named ds_notifier_2.vif for exfiltration.

The Passive Backdoor, usrprofscc.exe, is a C-based instrument that operates as a service (UsrProfSCC) with admin privileges, listening for AES-encrypted shellcode payloads.

The Customized Keylogger, StatusReport.dll, injects into dxdiag.exe, logging keystrokes to an RC4-encrypted file at C:WindowsTemp~TNpercentLogName%.tmp.

Mitigation and Suggestions

Microsoft’s patch for CVE-2025-33053 is now accessible, and organizations are urged to use it instantly. CPR recommends:

• Patching Programs: Replace Home windows to mitigate the WebDAV vulnerability.
• Phishing Consciousness: Prepare workers to acknowledge spear-phishing emails with suspicious attachments or hyperlinks.
• Community Monitoring: Look ahead to WebDAV-related site visitors to domains like summerartcamp[.]internet or mystartupblog.com.
• Endpoint Safety: Deploy options to detect LOLBin abuse and unauthorized course of injections.

The exploitation of CVE-2025-33053 by Stealth Falcon highlights the group’s technical sophistication and concentrate on high-value targets within the Center East.

By combining zero-day exploits, {custom} implants, and evasive methods, the group poses a major risk to regional safety. Organizations ought to prioritize patching and proactive monitoring to counter this evolving risk.

Discover this Information Attention-grabbing! Comply with us on Google Information, LinkedIn, & X to Get On the spot Updates