CVE-2025-33053: The Shortcut to Hell: Dissecting CVE-2025-33053

The Shortcut to Hell: Dissecting CVE-2025-33053

Vulnerability ID: CVE-2025-33053
CVSS Score: 8.8
Published: 2025-06-10

CVE-2025-33053 is a devastatingly simple logic flaw in how Windows handles Internet Shortcut (.url) files, allowing for Remote Code Execution via WebDAV. By manipulating the 'WorkingDirectory' property, attackers can trick legitimate system binaries into loading malicious payloads from remote servers. This vulnerability was weaponized as a zero-day by the Stealth Falcon APT group.

TL;DR

A critical RCE in Windows where a crafted .url file forces a system binary to load dependencies from an attacker-controlled WebDAV share. Actively exploited in the wild.

---

⚠️ Exploit Status: ACTIVE

Technical Details

• CWE ID: CWE-73 (External Control of File Name or Path)
• Attack Vector: Network (WebDAV)
• CVSS v3.1: 8.8 (Critical)
• EPSS Score: 25.50% (High Probability)
• Exploit Status: Active / Weaponized
• KEV Listed: Yes (2025-06-10)

Affected Systems

• Windows 10
• Windows 11
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025
• Windows 10: 1507 - 22H2 (Fixed in: June 2025 Update)
• Windows 11: 21H2 - 24H2 (Fixed in: June 2025 Update)
• Windows Server: 2008 - 2025 (Fixed in: June 2025 Update)

Exploit Details

• Stealth Falcon Campaign: Active exploitation in the wild targeting Middle Eastern organizations.
• GitHub (kra1t0): Python PoC to generate malicious .url files and serve WebDAV payloads.

Mitigation Strategies

• Disable the WebClient service on all endpoints where not strictly required.
• Block .url files at the email gateway and web proxy.
• Deploy the June 2025 Cumulative Update immediately.

Remediation Steps:

1. Identify vulnerable hosts using version numbering.
2. Push Group Policy to disable the WebClient service (ServiceName: WebClient).
3. Monitor firewall logs for outbound WebDAV traffic (PROPFIND methods) to external IPs.
4. Configure Attack Surface Reduction (ASR) rules to block Office applications from creating child processes (peripheral mitigation).

References

• Check Point Research: Stealth Falcon Zero Day
• Bleeping Computer Analysis

---

Read the full report for CVE-2025-33053 on our website for more details including interactive diagrams and full exploit analysis.