CVE-2025-33053

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to July 2025 Patch Tuesday

Description A remote code execution vulnerability exists in the Web Distributed Authoring and Versioning (WebDAV) component of Microsoft Windows. This flaw, tracked as CVE-2025-33053, allows attackers to execute arbitrary code by exploiting a weakness in how the system handles file paths when opening specially crafted .url files. The Stealth Falcon APT group has been actively exploiting this vulnerability since March 2025, targeting defense and government organizations in the Middle East and Africa. The attack involves using a malicious .url file that leverages a legitimate Windows tool to execute malware from an actor-controlled WebDAV server. The vulnerability is actively exploited in the wild and has been used to deploy custom malware, including Horus Agent and Horus Loader. The vulnerability allows remote attackers to execute arbitrary code and affect the system.

Recommendations Apply the Microsoft security updates released as part of the July 2025 Patch Tuesday.