Full Report
Microsoft has released patches to fix 67 security flaws, including one zero-day bug in Web Distributed Authoring and Versioning (WEBDAV) that it said has come under active exploitation in the wild. Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation
Analysis Summary
# Vulnerability: Zero-Day RCE in Microsoft WEBDAV Actively Exploited by Stealth Falcon
## CVE Details
- CVE ID: CVE-2025-33053
- CVSS Score: 8.8 (Critical)
- CWE: Not explicitly listed, but relates to Remote Code Execution via crafted URL/file manipulation.
## Affected Systems
- Products: Microsoft Web Distributed Authoring and Versioning (WEBDAV) component (Specific affected OS/versions not detailed in the summary, but associated with Windows environments supporting WEBDAV).
- Versions: Not explicitly listed.
- Configurations: In environments where the WEBDAV service is active and subject to user interaction via crafted URLs.
## Vulnerability Description
CVE-2025-33053 is a zero-day Remote Code Execution (RCE) vulnerability within the WEBDAV standard implementation on Windows systems. The vulnerability allows an attacker to achieve Remote Code Execution by persuading a user to interact with a specially crafted URL (leveraging a `.url` file shortcut). The attack vector observed leverages this file to execute `iediagcmd.exe` (a legitimate Internet Explorer diagnostics utility) to launch a payload, specifically Horus Loader, which then executes the **Horus Agent** implant. The mechanism relies on the manipulation of the working directory during the attack chain.
## Exploitation
- Status: Exploited in the wild (Weaponized by threat actor Stealth Falcon/FruityArmor).
- Complexity: Low (Triggered by user clicking a specially crafted URL shortcut file).
- Attack Vector: Network (Delivered via phishing/archive attachment) leading to Remote execution due to user interaction dependency.
## Impact
- Confidentiality: Likely High (Due to malware implant/backdoor capabilities).
- Integrity: Likely High (Due to execution of arbitrary malicious code).
- Availability: Likely High (Depends on the malware's final objective, but persistence mechanisms are noted).
## Remediation
### Patches
- Microsoft released patches addressing this vulnerability in their June 2025 Patch Tuesday update cycle. Specific patch KB numbers are not listed in the source material, but refer to the Microsoft MSRC Update Guide for June 2025.
### Workarounds
- No specific workarounds were listed, but given it is a zero-day actively exploited, immediate patching is critical. Limiting WEBDAV exposure or restricting user interaction with suspicious URLs/files may serve as temporary controls.
## Detection
- **Indicators of Compromise (IoCs):**
* Execution of `iediagcmd.exe` initiated by loading an unexpected `.url` file.
* Presence of the **Horus Agent** implant (C++ based, Mythic C2 framework derivative).
* Network connections indicative of Mythic C2 communication.
* Suspicious activity related to: Credential Dumper, Passive backdoor, or the custom Keylogger writing to `C:/windows/temp/~TN%LogName%.tmp`.
- **Detection Methods and Tools:**
* Monitor endpoint detection and response (EDR) systems for anomalous execution chains originating from file handlers or browser features interacting with WEBDAV resources via crafted URLs.
* Threat hunting for the artifacts left by the post-exploitation tools used by Stealth Falcon.
## References
- Vendor Advisories: https://msrc.microsoft.com/update-guide/releaseNote/2025-Jun
- CISA Catalog Entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Check Point Report: https://research.checkpoint.com/2025/stealth-falcon-zero-day/