Full Report
A new critical zero-day RCE vulnerability in Microsoft Windows, tracked as CVE-2025-33053, has been actively exploited by the Stealth Falcon (aka FruityArmor) APT group. The flaw leads to RCE by manipulating the system’s working directory. Attackers leveraged a previously unknown method to run files from a WebDAV server by altering the working directory of a […] The post CVE-2025-33053 Exploitation: A Critical WebDAV Zero-Day RCE Vulnerability Actively Weaponized by Stealth Falcon APT Group appeared first on SOC Prime.
Analysis Summary
# Incident Report: Active Exploitation of WebDAV RCE Zero-Day (CVE-2025-33053) by Stealth Falcon APT
## Executive Summary
Sophisticated threat actors, specifically the Stealth Falcon APT group, actively exploited the critical zero-day Remote Code Execution (RCE) vulnerability, CVE-2025-33053, present in WebDAV implementations. This campaign targeted high-value organizations, particularly across the Middle East, utilizing the flaw for initial access and subsequent sophisticated post-exploitation activities. Detection prompted CISA to add the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, leading to immediate patching directives.
## Incident Details
- **Discovery Date:** June 10, 2025 (Date Microsoft released the patch, implying external awareness/disclosure)
- **Incident Date:** Ongoing exploitation reported prior to June 11, 2025 disclosure.
- **Affected Organization:** Unspecified, but targets were high-value organizations across the Middle East.
- **Sector:** Various sectors utilizing enterprise environments with WebDAV file sharing.
- **Geography:** Middle East focus identified for APT activity.
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to June 10, 2025.
- **Vector:** Exploitation of the zero-day RCE vulnerability, CVE-2025-33053, in WebDAV services.
- **Details:** Attackers leveraged this RCE flaw to gain initial unauthorized access to affected systems.
### Lateral Movement
- **Date/Time:** Post-Initial Access (Implied)
- **Vector:** Not explicitly detailed, but the threat actor is known for "sophisticated post-exploitation capabilities."
### Data Exfiltration/Impact
- **Date/Time:** Post-Exploitation (Implied)
- **Impact:** Compromise of targeted high-value organizations. The nature of the goal was likely sensitive data theft or maintaining persistent access, characteristic of APT operations.
### Detection & Response
- **Date/Time:** June 10, 2025.
- **Discovery:** Awareness of active exploitation led to simultaneous vendor patching and government advisories.
- **Response actions taken:** Microsoft released a patch (June 10, 2025). CISA added CVE-2025-33053 to its KEV catalog, mandating FCEB agencies patch by July 1, 2025.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2025-33053 (WebDAV Zero-Day RCE).
- **Persistence:** Sophisticated post-exploitation capabilities were deployed (Details not specified).
- **Privilege Escalation:** Not specified, but likely necessary given APT operational patterns.
- **Defense Evasion:** Implied, as the activity was attributed to a sophisticated APT group (Stealth Falcon).
- **Credential Access:** Not specified.
- **Discovery:** Not specified.
- **Lateral Movement:** Not specified, but capabilities were deployed post-exploitation.
- **Collection:** Not specified.
- **Exfiltration:** Not specified.
- **Impact:** Remote Code Execution leading to deep compromise of enterprise environments.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Undisclosed, but the compromise targets high-value organizations.
- **Operational:** Significant risk due to RCE in widely used WebDAV services for file sharing.
- **Reputational:** High risk for affected organizations due to sophisticated APT targeting.
## Indicators of Compromise
- **Network indicators:** Monitoring WebDAV traffic to suspicious domains (Remediation advice).
- **File indicators:** Not specified.
- **Behavioral indicators:** Detection of LOLBin abuse and unauthorized process injection (Remediation advice).
## Response Actions
- **Containment measures:** Not explicitly detailed, but the primary response is patching.
- **Eradication steps:** Not explicitly detailed.
- **Recovery actions:** Updating Windows systems to the latest fixed version.
## Lessons Learned
- **Key takeaways:** Zero-day vulnerabilities in ubiquitous services like WebDAV pose a critical, immediate threat, especially when targeted by advanced persistent threat groups like Stealth Falcon. The speed of exploitation highlights the 'breakout' potential of RCE flaws.
- **What could have been done better:** Proactive defense against zero-days requires robust monitoring for anomalous activity, especially regarding LOLBin abuse and process injection, even before patches are available.
## Recommendations
- Immediately update all Windows systems to the latest fixed version addressing CVE-2025-33053.
- Enhance monitoring of WebDAV traffic, specifically looking for connections to suspicious or newly registered domains.
- Implement security measures designed to detect LOLBin abuse and unauthorized process injection techniques.
- Train staff to recognize and report spear-phishing attempts, as this remains a common initial vector when high-profile zero-days are involved.