Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load

 1title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
 2id: 04fc4b22-91a6-495a-879d-0144fec5ec03
 3related:
 4    - id: abe06362-a5b9-4371-8724-ebd00cd48a04
 5      type: similar
 6    - id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
 7      type: similar
 8status: experimental
 9description: |
10    Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
11    by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
12    attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.    
13references:
14    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
15    - https://research.checkpoint.com/2025/stealth-falcon-zero-day/
16author: Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2025-06-13
18tags:
19    - attack.execution
20    - attack.defense-evasion
21    - attack.t1218
22    - attack.lateral-movement
23    - attack.t1105
24    - detection.emerging-threats
25    - cve.2025-33053
26logsource:
27    category: image_load
28    product: windows
29detection:
30    selection_img_path:
31        Image|startswith: '\\\\'
32        Image|contains: '\DavWWWRoot\'
33    selection_img_bin:
34        Image|endswith:
35            - '\route.exe'
36            - '\netsh.exe'
37            - '\makecab.exe'
38            - '\dxdiag.exe'
39            - '\ipconfig.exe'
40            - '\explorer.exe'
41    condition: all of selection_*
42falsepositives:
43    - Unknown
44level: high