Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load

 1title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
 2id: 04fc4b22-91a6-495a-879d-0144fec5ec03
 3related:
 4    - id: abe06362-a5b9-4371-8724-ebd00cd48a04
 5      type: similar
 6    - id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
 7      type: similar
 8status: experimental
 9description: |
10    Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
11    by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
12    attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.    
13references:
14    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
15    - https://research.checkpoint.com/2025/stealth-falcon-zero-day/
16author: Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2025-06-13
18tags:
19    - attack.command-and-control
20    - attack.execution
21    - attack.defense-evasion
22    - attack.t1218
23    - attack.lateral-movement
24    - attack.t1105
25    - detection.emerging-threats
26    - cve.2025-33053
27logsource:
28    category: image_load
29    product: windows
30detection:
31    selection_img_path:
32        Image|startswith: '\\\\'
33        Image|contains: '\DavWWWRoot\'
34    selection_img_bin:
35        Image|endswith:
36            - '\route.exe'
37            - '\netsh.exe'
38            - '\makecab.exe'
39            - '\dxdiag.exe'
40            - '\ipconfig.exe'
41            - '\explorer.exe'
42    condition: all of selection_*
43falsepositives:
44    - Unknown
45level: high