Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access

calendar Jun 13, 2025 · attack.execution attack.defense-evasion attack.t1218 attack.lateral-movement attack.t1105 detection.emerging-threats cve.2025-33053  ·
Share on: linkedin copy

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe) accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers instead of legitimate system binaries. The vulnerability allows unauthorized code execution through external control of file names or paths via WebDAV.

Sigma rule (View on GitHub)

 1title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
 2id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
 3related:
 4    - id: abe06362-a5b9-4371-8724-ebd00cd48a04
 5      type: similar
 6    - id: 04fc4b22-91a6-495a-879d-0144fec5ec03
 7      type: similar
 8status: experimental
 9description: |
10    Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
11    by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe)
12    accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting
13    Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers
14    instead of legitimate system binaries. The vulnerability allows unauthorized code execution through
15    external control of file names or paths via WebDAV.    
16references:
17    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
18    - https://research.checkpoint.com/2025/stealth-falcon-zero-day/
19author: Swachchhanda Shrawan Poudel (Nextron Systems)
20date: 2025-06-13
21tags:
22    - attack.execution
23    - attack.defense-evasion
24    - attack.t1218
25    - attack.lateral-movement
26    - attack.t1105
27    - detection.emerging-threats
28    - cve.2025-33053
29logsource:
30    category: process_access
31    product: windows
32detection:
33    selection_src:
34        SourceImage:
35            - 'C:\Program Files\internet explorer\iediagcmd.exe'
36            - 'C:\Windows\System32\CustomShellHost.exe'
37    selection_target_dir:
38        - TargetImage|startswith: '\\\\'
39        - TargetImage|contains: '\DavWWWRoot\'
40    selection_target_exe:
41        TargetImage|endswith:
42            - '\route.exe'
43            - '\netsh.exe'
44            - '\makecab.exe'
45            - '\dxdiag.exe'
46            - '\ipconfig.exe'
47            - '\explorer.exe'
48    condition: all of selection_*
49falsepositives:
50    - Unknown
51level: high

References

Related rules

to-top