Microsoft Windows WebDAV 0-Day RCE Vulnerability Actively Exploited: A Technical Analysis
Estimated reading time: 15 minutes
**Key Takeaways:**
* A critical zero-day vulnerability (CVE-2025-33053) in Microsoft Windows WebDAV allows for remote code execution (RCE).
* The vulnerability was actively exploited by the APT group Stealth Falcon, targeting government and defense sectors.
* Mitigation strategies include applying the Microsoft patch, conducting phishing awareness training, and implementing network monitoring.
* New threats targeting npm have emerged, highlighting the increasing risks associated with software supply chains.
* A critical RCE vulnerability (CVE-2025-49113) has been identified in Roundcube webmail, emphasizing the importance of prompt patching.
**Table of Contents:**
* [Unveiling the CVE-2025-33053 Vulnerability](#h-unveiling-the-cve-2025-33053-vulnerability)
* [Stealth Falcon and the Infection Chain](#h-stealth-falcon-and-the-infection-chain)
* [Post-Compromise Activities](#h-post-compromise-activities)
* [Mitigation Strategies](#h-mitigation-strategies)
* [New npm Threats and Supply Chain Risks](#h-new-npm-threats-and-supply-chain-risks)
* [Roundcube Webmail Vulnerability](#h-roundcube-webmail-vulnerability)
* [Actionable Advice](#h-actionable-advice)
* [Practical Takeaways](#h-practical-takeaways)
* [How PurpleOps Can Help](#h-how-purpleops-can-help)
* [FAQ](#h-faq)
Unveiling the CVE-2025-33053 Vulnerability
CVE-2025-33053 is a zero-day vulnerability that enables RCE through manipulation of a system’s working directory. The vulnerability was discovered and reported to Microsoft by CPR (Check Point Research) in March 2025, after they identified an attempted cyberattack targeting a Turkish defense company. Microsoft addressed the vulnerability in its June 2025 Patch Tuesday updates.
The attack vector involves a malicious .url file, often delivered via spear-phishing emails. This file exploits CVE-2025-33053 to redirect the execution of legitimate Windows tools, such as `iediagcmd.exe`, to malicious files hosted on an attacker-controlled WebDAV server. The .url file, named `TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf.url`, redirects the execution of `iediagcmd.exe` to a malicious `route.exe` file hosted on a WebDAV server.
By altering the working directory, the attacker ensures that the `Process.Start()` function prioritizes the malicious executable over the legitimate system32 version. This technique is notable as it represents a novel approach for executable-based WebDAV attacks.
Stealth Falcon and the Infection Chain
Stealth Falcon, also known as FruityArmor, has been active since at least 2012. This APT group is known for targeting government and defense sectors in the Middle East and Africa, including Turkey, Qatar, Egypt, and Yemen. Stealth Falcon is recognized for acquiring zero-day exploits and deploying sophisticated, custom-built payloads. Their latest campaign introduces the Horus Agent, a custom implant built on the open-source Mythic C2 framework.
The infection chain used in the exploitation of CVE-2025-33053 involves multiple stages:
1. **Phishing Email:** A phishing email delivers a malicious .url file, often within a ZIP archive, disguised as a legitimate document.
2. **Exploitation of CVE-2025-33053:** The .url file exploits CVE-2025-33053, manipulating `iediagcmd.exe` to run a harmful `route.exe` from a WebDAV server.
3. **Horus Loader Deployment:** The attack deploys Horus Loader, a C++-based loader protected by Code Virtualizer. This loader evades detection through anti-analysis techniques, such as manual mapping of `kernel32.dll` and `ntdll.dll`, and scanning for antivirus processes from various vendors.
4. **Decoy PDF Display:** The loader decrypts and displays a decoy PDF, such as `TLM.005_TELESKOPIK_MAST_HASAR_BILDIRIM_RAPORU.pdf`, to distract the victim.
5. **Payload Injection:** The loader uses IPfuscation to decode a payload from IPv6 addresses, injecting it into `msedge.exe` using `ZwAllocateVirtualMemory`, `ZwWriteVirtualMemory`, and `NtResumeThread`.
6. **Horus Agent Execution:** The Horus Agent, the final payload, employs custom OLLVM obfuscation with string encryption and control flow flattening, along with API hashing to resolve imports dynamically.
7. **Command and Control Communication:** The Horus Agent communicates with command-and-control servers via AES-encrypted HTTP requests, secured with HMAC-SHA256, using multiple domains and a killswitch date of December 31, 2099.
8. **Command Support:** Supported commands include system enumeration (survey) and stealthy shellcode injection (shinjectchunked).
Post-Compromise Activities
Following successful exploitation, Stealth Falcon employs several undocumented tools for post-compromise operations:
* **DC Credential Dumper:** This tool targets NTDS.dit, SAM, and SYSTEM files by accessing a virtual disk at `C:\ProgramData\ds_notifier_0.vhdx` using the DiscUtils library. It then compresses the files into a ZIP archive named `ds_notifier_2.vif` for exfiltration.
* **Passive Backdoor:** The `usrprofscc.exe` tool operates as a service (UsrProfSCC) with admin privileges, listening for AES-encrypted shellcode payloads.
* **Custom Keylogger:** The `StatusReport.dll` tool injects into `dxdiag.exe`, logging keystrokes to an RC4-encrypted file at `C:\Windows\Temp\~TN%LogName%.tmp`.
Mitigation Strategies
Microsoft has released a patch for CVE-2025-33053, and organizations are urged to apply it immediately. In addition to patching, the following measures can enhance security:
* **Update Systems:** Ensure all Windows systems are updated to the latest version to mitigate the WebDAV vulnerability.
* **Phishing Awareness Training:** Conduct regular training sessions to educate staff on recognizing spear-phishing emails with suspicious attachments or links.
* **Network Monitoring:** Implement network monitoring solutions to detect WebDAV-related traffic to domains associated with malicious activity, such as `summerartcamp[.]net` or `mystartupblog.com`.
* **Endpoint Security Solutions:** Deploy endpoint security solutions capable of detecting LOLBin (Living Off The Land Binaries) abuse and unauthorized process injections.
New npm Threats and Supply Chain Risks
In related news, new threats targeting npm (Node Package Manager) have emerged, demonstrating the increasing risks associated with software supply chains. Two packages, in particular, have been identified as malicious: one that executes a destructive `rm-rf*` command upon receiving a specific request, and another that masquerades as a system monitoring tool while secretly exfiltrating data and providing system-wiping capabilities.
These threats highlight the importance of supply-chain risk monitoring and employing underground forum intelligence to identify and mitigate potential risks. Organizations should consider implementing comprehensive security measures to verify the integrity of third-party components and dependencies.
Roundcube Webmail Vulnerability
A critical remote code execution vulnerability, CVE-2025-49113, has been identified in Roundcube webmail versions 1.1.0 through 1.6.10. This flaw arises from inadequate sanitization of a parameter in Roundcube’s image upload feature for managing sender identities. An authenticated attacker can craft a malicious URL with a specially formatted “\_from” payload, exploiting PHP’s object reconstruction process to execute arbitrary code.
To mitigate this threat, organizations need to upgrade to versions 1.6.11 or 1.5.10. Given that attackers have been observed reverse-engineering patches and weaponizing vulnerabilities within short timeframes, prompt patching is critical.
Actionable Advice
**For Technical Readers:**
* **Implement Real-time Ransomware Intelligence:** Use real-time ransomware intelligence feeds to identify and block known malicious domains and IP addresses.
* **Deploy Breach Detection Systems:** Implement breach detection systems that can identify unauthorized access attempts and unusual network activity.
* **Utilize Dark Web Monitoring Service:** Employ a dark web monitoring service to monitor for leaked credentials and other sensitive information related to your organization.
* **Leverage Live Ransomware API:** Integrate a live ransomware API into your security infrastructure for up-to-date information on ransomware threats.
* **Enhance Telegram Threat Monitoring:** Monitor Telegram channels for discussions related to ransomware attacks and data leaks.
**For Non-Technical Readers:**
* **Prioritize Employee Training:** Invest in comprehensive cybersecurity training for employees to educate them about phishing and other social engineering tactics.
* **Establish Incident Response Plan:** Develop and regularly update an incident response plan to ensure a swift and effective response to any potential security incidents.
* **Implement Multi-Factor Authentication (MFA):** Enforce the use of MFA for all critical systems and accounts to reduce the risk of unauthorized access.
* **Conduct Regular Security Audits:** Perform regular security audits to identify and address potential vulnerabilities in your organization’s IT infrastructure.
* **Review Brand Leak Alerting:** Utilize brand leak alerting services to detect and respond to unauthorized use of your company’s branding.
Practical Takeaways
1. **Patch Management is Critical:** The exploitation of CVE-2025-33053 and CVE-2025-49113 underscores the importance of timely patch management. Organizations should prioritize patching systems to mitigate known vulnerabilities.
2. **Threat Intelligence is Essential:** Monitoring threat intelligence feeds, underground forums, and the dark web can provide early warnings of potential attacks.
3. **Defense-in-Depth Approach:** Implementing a layered security approach, including phishing awareness training, network monitoring, and endpoint security solutions, is crucial for protecting against sophisticated threats.
4. **Supply Chain Security Matters:** Verifying the integrity of third-party components and dependencies is essential to prevent supply chain attacks.
How PurpleOps Can Help
PurpleOps offers a comprehensive cyber threat intelligence platform that can help organizations proactively defend against emerging threats. Our services include:
* **Cyber Threat Intelligence Platform:** Provides actionable insights into the latest threats and vulnerabilities.
* **Real-Time Ransomware Intelligence:** Delivers up-to-date information on ransomware threats, enabling organizations to block known malicious domains and IP addresses.
* **Dark Web Monitoring Service:** Monitors the dark web for leaked credentials and other sensitive information.
* **Telegram Threat Monitoring:** Monitors Telegram channels for discussions related to cyber threats.
* **Supply-Chain Risk Monitoring:** Assesses and monitors the risks associated with third-party vendors and software components.
* **Underground Forum Intelligence:** Gathers intelligence from underground forums to identify potential threats and vulnerabilities.
* **Brand Leak Alerting:** Detects and alerts organizations to unauthorized use of their brand assets.
By leveraging PurpleOps’ services, organizations can enhance their security posture and mitigate the risks associated with advanced cyber threats like CVE-2025-33053 and other emerging vulnerabilities.
To learn more about how PurpleOps can help protect your organization, please explore our platform and PurpleOps Solutions or PurpleOps Solutions for more information.
FAQ
**Q: What is CVE-2025-33053?**
A: CVE-2025-33053 is a zero-day vulnerability in Microsoft Windows WebDAV that allows for remote code execution (RCE).
**Q: Who is Stealth Falcon?**
A: Stealth Falcon, also known as FruityArmor, is an APT group known for targeting government and defense sectors in the Middle East and Africa.
**Q: What can I do to protect my systems from this vulnerability?**
A: Apply the Microsoft patch for CVE-2025-33053, conduct phishing awareness training, and implement network monitoring and endpoint security solutions.
**Q: What is CVE-2025-49113?**
A: CVE-2025-49113 is a critical remote code execution vulnerability identified in Roundcube webmail versions 1.1.0 through 1.6.10.
**Q: How can PurpleOps help protect my organization?**
A: PurpleOps offers a comprehensive cyber threat intelligence platform that provides actionable insights into the latest threats and vulnerabilities, including real-time ransomware intelligence, dark web monitoring, and supply-chain risk monitoring.