Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access

calendar Oct 23, 2025 · attack.command-and-control attack.execution attack.defense-evasion attack.t1218 attack.lateral-movement attack.t1105 detection.emerging-threats cve.2025-33053  ·
Share on: linkedin copy

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe) accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers instead of legitimate system binaries. The vulnerability allows unauthorized code execution through external control of file names or paths via WebDAV.

Sigma rule (View on GitHub)

 1title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
 2id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
 3related:
 4    - id: abe06362-a5b9-4371-8724-ebd00cd48a04
 5      type: similar
 6    - id: 04fc4b22-91a6-495a-879d-0144fec5ec03
 7      type: similar
 8status: experimental
 9description: |
10    Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
11    by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe)
12    accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting
13    Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers
14    instead of legitimate system binaries. The vulnerability allows unauthorized code execution through
15    external control of file names or paths via WebDAV.    
16references:
17    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
18    - https://research.checkpoint.com/2025/stealth-falcon-zero-day/
19author: Swachchhanda Shrawan Poudel (Nextron Systems)
20date: 2025-06-13
21tags:
22    - attack.command-and-control
23    - attack.execution
24    - attack.defense-evasion
25    - attack.t1218
26    - attack.lateral-movement
27    - attack.t1105
28    - detection.emerging-threats
29    - cve.2025-33053
30logsource:
31    category: process_access
32    product: windows
33detection:
34    selection_src:
35        SourceImage:
36            - 'C:\Program Files\internet explorer\iediagcmd.exe'
37            - 'C:\Windows\System32\CustomShellHost.exe'
38    selection_target_dir:
39        - TargetImage|startswith: '\\\\'
40        - TargetImage|contains: '\DavWWWRoot\'
41    selection_target_exe:
42        TargetImage|endswith:
43            - '\route.exe'
44            - '\netsh.exe'
45            - '\makecab.exe'
46            - '\dxdiag.exe'
47            - '\ipconfig.exe'
48            - '\explorer.exe'
49    condition: all of selection_*
50falsepositives:
51    - Unknown
52level: high

References

Related rules

to-top