Potential Exploitation of RCE Vulnerability CVE-2025-33053

calendar Oct 23, 2025 · attack.command-and-control attack.execution attack.defense-evasion attack.t1218 attack.lateral-movement attack.t1105 detection.emerging-threats cve.2025-33053  ·
Share on: linkedin copy

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 which involves unauthorized code execution via WebDAV through external control of file names or paths. The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating their working directories to point to attacker-controlled WebDAV servers, causing them to execute malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries through Process.Start() search order manipulation.

Sigma rule (View on GitHub)

 1title: Potential Exploitation of RCE Vulnerability CVE-2025-33053
 2id: abe06362-a5b9-4371-8724-ebd00cd48a04
 3related:
 4    - id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
 5      type: similar
 6    - id: 04fc4b22-91a6-495a-879d-0144fec5ec03
 7      type: similar
 8status: experimental
 9description: |
10    Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
11    which involves unauthorized code execution via WebDAV through external control of file names or paths.
12    The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe  by manipulating
13    their working directories to point to attacker-controlled WebDAV servers, causing them to execute
14    malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries
15    through Process.Start() search order manipulation.    
16references:
17    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
18    - https://research.checkpoint.com/2025/stealth-falcon-zero-day/
19author: Swachchhanda Shrawan Poudel (Nextron Systems)
20date: 2025-06-13
21tags:
22    - attack.command-and-control
23    - attack.execution
24    - attack.defense-evasion
25    - attack.t1218
26    - attack.lateral-movement
27    - attack.t1105
28    - detection.emerging-threats
29    - cve.2025-33053
30logsource:
31    category: process_creation
32    product: windows
33detection:
34    selection_parent:
35        ParentImage:
36            - 'C:\Program Files\internet explorer\iediagcmd.exe'
37            - 'C:\Windows\System32\CustomShellHost.exe'
38    selection_child_current_dir:
39        - CurrentDirectory|startswith: '\\\\'
40        - CurrentDirectory|contains: '\DavWWWRoot\'
41        - Image|contains: '\DavWWWRoot\'
42        - Image|startswith: '\\\\'
43    selection_child_img:
44        Image|endswith:
45            - '\route.exe'
46            - '\netsh.exe'
47            - '\makecab.exe'
48            - '\dxdiag.exe'
49            - '\ipconfig.exe'
50            - '\explorer.exe'
51    filter_main_system:
52        Image|startswith:
53            - 'C:\Windows\System32\'
54            - 'C:\Windows\SysWOW64\'
55    condition: all of selection_* and not 1 of filter_main_*
56falsepositives:
57    - Unknown
58level: high

References

Related rules

to-top