Potential Exploitation of RCE Vulnerability CVE-2025-33053

calendar Jun 13, 2025 · attack.execution attack.defense-evasion attack.t1218 attack.lateral-movement attack.t1105 detection.emerging-threats cve.2025-33053  ·
Share on: linkedin copy

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 which involves unauthorized code execution via WebDAV through external control of file names or paths. The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating their working directories to point to attacker-controlled WebDAV servers, causing them to execute malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries through Process.Start() search order manipulation.

Sigma rule (View on GitHub)

 1title: Potential Exploitation of RCE Vulnerability CVE-2025-33053
 2id: abe06362-a5b9-4371-8724-ebd00cd48a04
 3related:
 4    - id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
 5      type: similar
 6    - id: 04fc4b22-91a6-495a-879d-0144fec5ec03
 7      type: similar
 8status: experimental
 9description: |
10    Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
11    which involves unauthorized code execution via WebDAV through external control of file names or paths.
12    The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe  by manipulating
13    their working directories to point to attacker-controlled WebDAV servers, causing them to execute
14    malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries
15    through Process.Start() search order manipulation.    
16references:
17    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
18    - https://research.checkpoint.com/2025/stealth-falcon-zero-day/
19author: Swachchhanda Shrawan Poudel (Nextron Systems)
20date: 2025-06-13
21tags:
22    - attack.execution
23    - attack.defense-evasion
24    - attack.t1218
25    - attack.lateral-movement
26    - attack.t1105
27    - detection.emerging-threats
28    - cve.2025-33053
29logsource:
30    category: process_creation
31    product: windows
32detection:
33    selection_parent:
34        ParentImage:
35            - 'C:\Program Files\internet explorer\iediagcmd.exe'
36            - 'C:\Windows\System32\CustomShellHost.exe'
37    selection_child_current_dir:
38        - CurrentDirectory|startswith: '\\\\'
39        - CurrentDirectory|contains: '\DavWWWRoot\'
40        - Image|contains: '\DavWWWRoot\'
41        - Image|startswith: '\\\\'
42    selection_child_img:
43        Image|endswith:
44            - '\route.exe'
45            - '\netsh.exe'
46            - '\makecab.exe'
47            - '\dxdiag.exe'
48            - '\ipconfig.exe'
49            - '\explorer.exe'
50    filter_main_system:
51        Image|startswith:
52            - 'C:\Windows\System32\'
53            - 'C:\Windows\SysWOW64\'
54    condition: all of selection_* and not 1 of filter_main_*
55falsepositives:
56    - Unknown
57level: high

References

Related rules

to-top