CVE-2025-33053: 
vulnerability analysis and mitigation

CVE-2025-33053 is a remote code execution vulnerability in Microsoft's Web Distributed Authoring and Versioning (WebDAV) protocol that allows unauthorized attackers to execute code over a network. The vulnerability was discovered in March 2025 by Check Point Research during an investigation of an attempted cyberattack against a Turkish defense organization. The flaw affects Windows systems and has a CVSS score of 8.8 (HIGH). Microsoft released a patch for this vulnerability on June 10, 2025, as part of their June Patch Tuesday updates (Microsoft Patch, Check Point Research).

The vulnerability stems from improper handling of the working directory by certain legitimate system executables. When a .url file sets its WorkingDirectory to a remote WebDAV path, a built-in Windows tool can be tricked into executing a malicious executable from that remote location instead of the legitimate one. The attack begins when a victim clicks on a specially crafted URL file disguised as a PDF document. The exploit manipulates the Windows file execution search order, causing legitimate Windows utilities to execute malicious programs hosted on attacker-controlled remote servers (Bleeping Computer, Dark Reading).

The vulnerability allows attackers to execute arbitrary code remotely without dropping malicious files locally, making their operations stealthy and evasive. When successfully exploited, it enables attackers to deploy custom spyware, including a new implant called Horus Agent, which can perform system fingerprinting, execute commands, inject shellcode, and conduct file operations. The impact is particularly severe for government and defense organizations in the Middle East region (The Record).

Microsoft has released security updates to address this vulnerability as part of the June 2025 Patch Tuesday. Due to the severity of the vulnerability, Microsoft has taken the extraordinary step of producing patches for platforms that are officially out of support, including Windows 8 and Windows Server 2012. Organizations are strongly advised to apply these patches immediately. If upgrading is not immediately possible, it is recommended to block or closely monitor WebDAV traffic for suspicious outbound connections to unknown endpoints (The Register).

The cybersecurity community has expressed significant concern about this vulnerability, particularly due to its active exploitation by a sophisticated APT group. Microsoft's decision to patch out-of-support systems has been noted as an indication of the severity of the threat. The vulnerability has gained additional attention as it was added to CISA's Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches by July 1, 2025 (The Record).