WEBDAV Zero-Day Exploited in the Wild

Microsoft has released patches to fix 67 security flaws, including one zero-day bug in Web Distributed Authoring and Versioning (WebDAV) that it said has come under active exploitation in the wild.

Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws.

The patches are in addition to 13 shortcomings addressed by the company in its Chromium-based Edge browser since the release of last month's Patch Tuesday update.

The vulnerability that has been weaponized in real-world attacks concerns a remote code execution in WebDAV (CVE-2025-33053, CVSS score: 8.8) that can be triggered by deceiving users into clicking on a specially crafted URL.

The tech giant credited Check Point researchers Alexandra Gofman and David Driker for discovering and reporting the bug. It's worth mentioning that CVE-2025-33053 is the first zero-day vulnerability to be disclosed in the WebDAV standard.

In a separate report, the cybersecurity company attributed the abuse of CVE-2025-33053 to a threat actor known as Stealth Falcon (aka FruityArmor), which has a history of leveraging Windows zero-days in its attacks. In September 2023, the hacking group was observed using a backdoor dubbed Deadglyph as part of an espionage campaign aimed at entities in Qatar and Saudi Arabia.

While Stealth Falcon operations have been identified as likely tied to the United Arab Emirates by the Citizen Lab in the past, Eli Smadja, research group manager at Check Point Research, told The Hacker News they are "unable to confirm any country affiliations" given their focus on the groups and their tactics.

"The activity appears to be highly targeted, affecting specific victims rather than being widespread," Smadja said of the latest campaign.

The threat sequence, in a nutshell, involves the use of an internet shortcut (URL) file that exploits CVE-2025-33053 to execute malware from an actor-controlled WebDAV server. Check Point said CVE-2025-33053 allows for remote code execution through manipulation of the working directory.

In the attack chain observed against an unnamed defense company in Turkey, the threat actor is said to have employed CVE-2025-33053 to deliver Horus Agent, a custom implant built for the Mythic command-and-control (C2) framework. It's believed that the malicious payload used to initiate the attack, a URL shortcut file, was sent as an archived attachment in a phishing email.

Cybersecurity

The URL file is used to launch iediagcmd.exe, a legitimate diagnostics utility for Internet Explorer, leveraging it to launch another payload called Horus Loader, which is responsible for serving a decoy PDF document and executing Horus Agent.

"Written in C++, the implant shows no significant overlap with known C-based Mythic agents, aside from commonalities in the generic logic related to Mythic C2 communications," Check Point said. "While the loader makes sure to implement some measures to protect the payload, the threat actors placed additional precautions within the backdoor itself."

This includes the use of techniques like string encryption and control flow flattening to complicate analysis efforts. The backdoor then connects to a remote server to fetch tasks that allow it to collect system information, enumerate files and folders, download files from the server, inject shellcode into running processes, and exit the program.

CVE-2025-33053 infection chain

Horus Agent is assessed to be an evolution of the customized Apollo implant, an open-source .NET agent for Mythic framework, that was previously put to use by Stealth Falcon between 2022 and 2023.

"Horus is a more advanced version of the threat groups' custom Apollo implant, rewritten in C++, improved, and refactored," Check Point said.

"Similar to the Horus version, the Apollo version introduces extensive victim fingerprinting capabilities while limiting the number of supported commands. This allows the threat actors to focus on stealthy identification of the infected machine and next stage payload delivery, while also keeping the implant size significantly smaller (only 120Kb) than the full agent."

The company said it also observed the threat actor leveraging several previously undocumented tools such as the following -

  • Credential Dumper, which targets an already-compromised Domain Controller to steal Active Directory and Domain Controller credential-related files
  • Passive backdoor, which listens for incoming requests and executes shellcode payloads
  • Keylogger, a custom C++ tool that records all keystrokes and writes them to a file under "C:/windows/temp/~TN%LogName%.tmp"

The keylogger notably lacks any C2 mechanism, meaning that it likely works in conjunction with another component that can exfiltrate the file to the attackers.

"Stealth Falcon employs commercial code obfuscation and protection tools, as well as custom-modified versions tailored for different payload types," the Check Point research team said. "This makes their tools more difficult to reverse-engineer and complicates tracking technical changes over time."

The active exploitation of CVE-2025-33053 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fix by July 1, 2025.

"What makes this flaw particularly concerning is the widespread use of WebDAV in enterprise environments for remote file sharing and collaboration," Mike Walters, President and Co-Founder of Action1, said. "Many organizations enable WebDAV for legitimate business needs — often without fully understanding the security risks it introduces."

The most severe vulnerability resolved by Microsoft is a privilege escalation flaw in Power Automate (CVE-2025-47966, CVSS score: 9.8) that could permit an attacker to elevate privileges over a network. However, there is no customer action required to mitigate the bug.

Other vulnerabilities of note include elevation of privilege flaws in Common Log File System Driver (CVE-2025-32713, CVSS score: 7.8), Windows Netlogon (CVE-2025-33070, CVSS score: 8.1), and Windows SMB Client (CVE-2025-33073, CVSS score: 8.8), as well as a critical unauthenticated RCE vulnerability in the Windows KDC Proxy Service (CVE-2025-33071, CVSS score: 8.1).

"Over the past several months, the CLFS driver has become a consistent focus for both threat actors and security researchers due to its exploitation in multiple ransomware operations," Ben McCarthy, lead cyber security engineer at Immersive said.

"It is categorized as a heap-based buffer overflow — a type of memory corruption vulnerability. The attack complexity is considered low, and successful exploitation allows an attacker to escalate privileges."

CVE-2025-33073 is the only vulnerability to be listed as publicly known at the time of release, with CrowdStrike, Synacktiv, SySS GmbH, RedTeam Pentesting, and Google Project Zero acknowledged for reporting the bug.

"Even though CVE-2025-33073 is referred to by Microsoft as an elevation of privilege, it is actually an authenticated remote command execution as SYSTEM on any machine which does not enforce SMB signing," Synacktiv researchers Wilfried Bécard and Guillaume André said.

Reflective Kerberos relay attack (CVE-2025-33073)

The path to exploitation requires a victim to connect to a malicious SMB server controlled by the attacker, ultimately leading to privilege escalation by means of a reflective Kerberos relay attack.

"The principle behind the attack is that we coerced a Windows host to connect to our attack system via SMB and authenticate via Kerberos," RedTeam Pentesting said in a technical analysis. "The Kerberos ticket is then relayed back to the same host again via SMB. The resulting SMB session had high-privileged NT AUTHORITY\SYSTEM privileges that are sufficient to execute arbitrary commands.

Adam Barnett, lead software engineer at Rapid7, said the exploitation of CVE-2025-33071 requires the attacker to exploit a cryptographic flaw and win a race condition.

"The bad news is that Microsoft considers exploitation more likely regardless, and since a KDC proxy helps Kerberos requests from untrusted networks more easily access trusted assets without any need for a direct TCP connection from the client to the domain controller, the trade-off here is that the KDC proxy itself is quite likely to be exposed to an untrusted network," Barnett added.

Last but not least, Microsoft has also rolled out patches to remediate a secure boot bypass bug (CVE-2025-3052, CVSS score: 6.7) discovered by Binarly that enables the execution of untrusted software.

Cybersecurity

"A vulnerability exists in a UEFI application signed with a Microsoft third-party UEFI certificate, which allows an attacker to bypass UEFI Secure Boot," Redmond said in an alert. "An attacker who successfully exploited this vulnerability could bypass Secure Boot."

CERT Coordination Center (CERT/CC), in an advisory released Tuesday, said the vulnerability is rooted in Unified Extensible Firmware Interface (UEFI) applications DTBios and BiosFlashShell from DT Research, allowing Secure Boot bypass using a specially crafted NVRAM variable.

"The vulnerability stems from improper handling of a runtime NVRAM variable that enables an arbitrary write primitive, capable of modifying critical firmware structures, including the global Security2 Architectural Protocol used for Secure Boot verification," CERT/CC said.

"Because the affected applications are signed by the Microsoft UEFI Certificate Authority, this vulnerability can be exploited on any UEFI-compliant system, allowing unsigned code to run during the boot process."

Successful exploitation of the vulnerability could permit the execution of unsigned or malicious code even before the operating system loads, potentially enabling attackers to drop persistent malware that can survive reboots and even disable security software.

Microsoft, however, is not affected by CVE-2025-4275 (aka Hydroph0bia), another Secure Boot bypass vulnerability present in an InsydeH2O UEFI application that allows digital certificate injection through an unprotected NVRAM variable ("SecureFlashCertData"), resulting in arbitrary code execution at the firmware level.

"This issue arises from the unsafe use of an NVRAM variable, which is used as trusted storage for a digital certificate in the trust validation chain," CERT/CC said. "An attacker can store their own certificate in this variable and subsequently run arbitrary firmware (signed by the injected certificate) during the early boot process within the UEFI environment."

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.