A vulnerability containing Microsoft Patch 67 Webdav Zero-Day has been exploited in the wild

Microsoft has released a patch to fix 67 security flaws, including Web distributed authoring and zero-day bugs in versions (WebDAV).

Of the 67 vulnerabilities, 11 are rated as important in severity and 56 are rated. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws.

The patch adds to the 13 drawbacks the company has addressed in Chromium-based Edge browsers since the release of the patch Tuesday update last month.

The vulnerability weaponized in actual attacks relates to remote code execution in WebDAV (CVE-2025-33053, CVSS score: 8.8).

The tech giant praised Checkpoint researchers Alexandra Goffman and David Dricker for discovering and reporting the bug. It is worth mentioning that CVE-2025-33053 is the first zero-day vulnerability disclosed in the WebDAV standard.

In another report, cybersecurity firms attributed CVE-2025-33053’s abuse to a threat actor known as Stealth Falcon (aka FruityArmor), which has a history of leveraging Windows Zero Day in attacks. In September 2023, hacking groups were observed using backdoors called deadglyphs as part of a spying activity targeting Qatar and Saudi Arabian entities.

The operation of Stealth Falcon has been identified in the past by the Civic Research Institute as likely to be linked to the United Arab Emirates, but Eli Smadja, research group manager at Check Point Research, told Hacker News that he “cannot confirm the affiliation of the country” with a focus on the group and tactics.

“The activity is highly targeted and appears to affect certain casualties across a wide range of areas,” Smaja said of the latest campaign.

In short, the threat sequence involves using Internet Shortcuts (URL) files that exploit CVE-2025-33053 to run malware from an actor-controlled WebDAV server. CVE-2025-33053 stated that remote code can be executed through working directory operations.

In the attack chain observed against an unnamed Turkish defense company, the threat actor is said to have adopted CVE-2025-33053 to deliver the Horus Agent, a custom implant built for the mythical command and control (C2) framework. The malicious payload used to launch an attack, a URL shortcut file, is believed to have been sent as an attachment archived in a phishing email.

The URL file is used to launch IEDIAGCMD.EXE, a legal diagnostic utility in Internet Explorer, and utilizes it to launch another payload called Holsloader.

“Implants written in C++ show no significant overlap with known C-based mythological agents, except for the commonality of general logic related to mythological C2 communication,” Checkpoint said. “The loader ensures that some measures are implemented to protect the payload, but threat actors have imposed additional precautions on the backdoor itself.”

This involves the use of string encryption and flattening methods of control flow, complicating analytical efforts. The backdoor then connects to a remote server to collect system information, enumerate files and folders, download files from the server, insert shellcode into the running process, and get tasks that can exit the program.

CVE-2025-33053 Infectious chain

The Horus agent is rated as an evolution of customized Apollo implants, the open source .NET agent for the Mythic Framework that was previously used by Stealth Falcon between 2022 and 2023.

“Horus is a more advanced version of custom apollo implants for threat groups that have been rewritten, improved and refactored in C++,” Checkpoint said.

“Like the Horus version, the Apollo version introduces a wide range of victim fingerprinting capabilities, while limiting the number of supported commands. This allows threat actors to focus on stealth identification of infected machines and next-stage payload delivery, but the implant size is significantly smaller than the full agent.”

The company also said it observed threat actors who are leveraging several previously undocumented tools like the ones they previously said —

• Credential damper that targets an already configured domain controller and steals files related to Active Directory and Domain Controller credentials
• Passive backdoor. Listen to incoming requests and execute the shellcode payload
• Record all keystrokes and write them to the file under “c:/windows/temp/~tn%logname%.tmp” and write them.

Keyloggers do not have a particular C2 mechanism. This means it could work in conjunction with another component that can remove the file by an attacker.

“Stealth Falcon uses commercial code obfuscation and protection tools, as well as custom modified versions tailored to the various payload types,” the Checkpoint Research team said. “This makes the tool more difficult to reverse engineering and complicate tracking technical changes over time.”

Active exploitation of CVE-2025-33053 encourages the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to the known Exploited Vulnerabilities (KEV) catalogue and calls for Federal Private Enforcement Division (FCEB) agencies to apply FIX by July 1, 2025.

“What is particularly concerning about this flaw is the widespread use of WebDAV in enterprise environments for remote file sharing and collaboration,” says Mike Walters, president and co-founder of Action1. “Many organizations enable WebDAV for legitimate business needs, often without a complete understanding of the security risks they implement.”

The most serious vulnerability resolved by Microsoft is a flaw in privilege escalation in Power Automate (CVE-2025-47966, CVSS score: 9.8) that could allow an attacker to increase privileges on the network. However, there is no customer action needed to mitigate the bug.

Other notable vulnerabilities include increased privilege flaws in common log file system drivers (CVE-2025-32713, CVSS score: 7.8), Windows Netlogon (CVE-2025-33070, CVSS score: 8.1), and Windows SMB clients (CVE-2025-33073, CVS score: 8.8SS score: 8.8), 8.8), and Windows Netlogon (CVE-2025-33070, CVSS score: 8.1). Windows KDC Proxy Service (CVE-2025-33071, CVSS score: 8.1).

“Over the past few months, CLFS drivers have become a consistent focus for both threat actors and security researchers due to the exploitation of multiple ransomware operations,” says Immersive’s lead cybersecurity engineer.

“This is classified as a heap-based buffer overflow. It is a type of memory corruption vulnerability. The complexity of the attack is considered low, allowing exploitation to escalate privileges by attackers.”

CVE-2025-33073 is the only vulnerability listed as being published at the time of release, with Cloud Strike, Synactiff, Syss GmbH, RedTeam Pentesting and Google Project Zero acknowledging reporting of bugs.

“CVE-2025-33073 is called High Privilege by Microsoft, but in reality it is a remote command execution authenticated as a system on a machine that does not enforce SMB signatures.”

Reflective Kerberos Relay Attack (CVE-2025-33073)

The path to exploitation requires the victim to connect to a malicious SMB server controlled by the attacker, ultimately leading to privilege escalation by a reflexive Kerberos relay attack.

“The principle behind an attack is to force a Windows host to connect to the attack system via SMB and authenticate through Kerberos,” RedTeam Pentesting said in a technical analysis. “The Kerberos tickets are then relayed again to the same host via SMB. The resulting SMB session had enough beneficial NT AuthoritySystem privileges to execute any command.

Adam Barnett, lead software engineer at Rapid7, said the exploitation of CVE-2025-33071 requires attackers to exploit cryptographic flaws and win the race state.

“The bad news is that Microsoft considers exploitation more likely regardless of that, and KDC proxy itself is likely to be exposed to non-stressed networks, as it helps to make trusted assets easier to access without the need for a direct TCP connection from an untrusted network from a client to a domain controller.”

Lastly, Microsoft has deployed a patch to repair a safe boot bypass bug (CVE-2025-3052, CVSS score: 6.7) discovered by Binarly that allows unreliable software to run.

“There is a vulnerability in UEFI applications signed with Microsoft’s third-party UEFI certificates, which allows attackers to bypass UEFI secure boots,” Redmond said in an alert. “Attackers who successfully exploited this vulnerability could bypass a secure boot.”

In an advisory released Tuesday, the CERT Coordination Center (CERT/CC) found that the vulnerability is rooted in the integrated extended firmware interface (UEFI) applications DTBIOS and BIOSFLASHSHELL, which uses specially created NVRAM variables to allow for safe boot bypass.

“The vulnerability is attributed to improper handling of runtime NVRAM variables that allow for any write primitives that can modify critical firmware structures, including the Global Security 2 architecture protocol used for secure boot validation,” CERT/CC said.

“Because affected applications are signed by the Microsoft UEFI Certificate Authority, this vulnerability could be exploited by any UEFI compliant system, which could allow unsigned code to be executed during the boot process.”

The successful exploitation of the vulnerability can allow unsigned or malicious code to be executed, even before the operating system is loaded, allowing attackers to withstand reboots and remove persistent malware that can disable security software.

However, Microsoft is not affected by CVE-2025-4275 (also known as Hydroph0Bia). This exists another secure boot bypass vulnerability present in InsyH2O UEFI applications that allow digital certificate injection through unprotected NVRAM variables (“SecureFlashcertData”).

“This issue arises from the insecure use of NVRAM variables, which is used as trusted storage for digital certificates in the trust verification chain,” CERT/CC said. “Attackators can store their own certificates in this variable and then run any firmware (signed with the injected certificate) during the early boot process within the UEFI environment.”

Software patches from other vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks, rectifying some vulnerabilities.

• Adobe
• Amazon Web Services
• AMD
• arm
• Atlassian
• AutomationDirect
• Bosch
• Broadcom (including VMware)
• Canon
• Cisco
• d-link
• Dell
• Drupal
• F5
• Fortinet
• gitlab
• Google Android and Pixel
• Google Chrome
• Google Cloud
• Hitachi Energy
• Website
• HP Enterprise (including Alba Networking)
• IBM
• Intel
• insyde
• Ivant
• Jenkins
• Juniper Network
• Lenovo
• Linux Distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, Suse, and Ubuntu
• MediaTek
• Maitel
• Mitsubishi Electric
• Mox
• Mozilla Firefox and Thunderbird
• nvidia
• Palo Alto Network
• Phoenix Technology
• QNAP
• Qualcomm
• RoundCube
• Salesforce
• Samsung
• Sap
• Schneider Electric
• Siemens
• SolarWinds
• Sonic Wall
• Spranch
• Spring Framework
• Synology
• Trend Micro Apex Central, Apex 1, Endpoint Encryption Policy Server, and WFBS
• Veritas
• Zimbra, and
• Zoho ManageEngine Exchange Reporter Plus and Opmanager