CVE-2025-33053

Name of the Vulnerable Software and Affected Versions Microsoft Windows (affected versions not specified)

Description A remote code execution vulnerability exists in the Web Distributed Authoring and Versioning (WebDAV) component of Microsoft Windows. This flaw allows an attacker to execute arbitrary code by exploiting improper handling of file names or paths, specifically through specially crafted .url files. The vulnerability, tracked as CVE-2025-33053, has been actively exploited in the wild since March 2025 by the Stealth Falcon APT group, targeting defense and government organizations in the Middle East and Africa. The attack involves manipulating the working directory of legitimate Windows tools, such as iediagcmd.exe, to execute malicious code from an actor-controlled WebDAV server. The Stealth Falcon group has used this vulnerability to deploy custom malware, including Horus Agent and Horus Loader. The vulnerability is triggered when a user clicks on a malicious URL. Approximately 80% of devices worldwide may be affected.

Recommendations Apply the patches provided by Microsoft for CVE-2025-33053.