A severe remote code execution (RCE) vulnerability in Windows WebDAV—CVE‑2025‑33053—enables attackers to control file paths or names and execute code without authentication. It received a CVSS score of 8.8 and has been actively exploited in real-world espionage campaigns.
Threat Overview
| Detail | Description |
|---|---|
| Threat type | Remote Code Execution (RCE) in WebDAV |
| Detection names | Tracked as CVE‑2025‑33053 (WebDAV RCE) |
| Symptoms of infection | Unexpected code execution, unusual network activity, files loaded from WebDAV servers |
| Damage & distribution | In the wild: used to deploy custom Horus Agent espionage implants via malicious .url shortcuts in phishing emails |
| Danger level | Important (CVSS 8.8), but patched urgently; actively exploited by APT “Stealth Falcon” |
| Removal tool | SpyHunter (for cleanup): Download SpyHunter |
In‑Depth Analysis
How I got infected
Victims receive a phishing email containing a .url shortcut disguised as a PDF. Opening it triggers exploitation via WebDAV, launching a legitimate Windows utility that fetches malicious code from an attacker‑controlled server.
What it does
Once opened, the exploit directs the system to download and execute a “Horus Loader,” which then installs the Horus Agent—a C++‑based implant. The implant supports:
- System reconnaissance
- File enumeration and exfiltration
- Shellcode injection
- Keylogging via a passive tool dropping keystroke logs locally
Tools are obfuscated and hardened against reverse engineering.
Should you be worried?
Yes. The vulnerability is being actively leveraged for espionage, targeting defense-related entities. With WebDAV commonly enabled in enterprise environments, the attack vector is accessible and dangerous.
Conclusion
CVE‑2025‑33053 marks the first actively exploited WebDAV zero‑day. It allows attackers to drop advanced implants using trusted Windows components, bypassing many defenses. If you use Internet Explorer, Edge, or support WebDAV (e.g., IIS, Apache mod_dav), apply June 2025 Patch Tuesday updates immediately. After patching, use SpyHunter to detect and remove any residual malware. Stay vigilant against phishing emails containing unfamiliar shortcuts.
Scan Your [viewer_os] for [post_title]
✅ Detects & Removes Malware
🛡️ Protects against infections
✅ Free Scan
✅13M Scans/Month
Don’t leave your system unprotected. Download SpyHunter today for free, and scan your device for malware, scams, or any other potential threats. Stay Protected!
