Microsoft has disclosed a serious zero-day vulnerability in the Web Distributed Authoring and Versioning (WebDAV) protocol, identified as CVE-2025-33053, with a CVSS score of 8.8. Actively exploited by the Stealth Falcon APT group, this vulnerability enables remote code execution (RCE) and poses a significant threat to organizations that use WebDAV services. Continue reading this Cybersecurity Threat Advisory to learn more.
What is the threat?
This critical zero-day vulnerability in the WebDAV protocol enables RCE through the external control of file names or paths. The vulnerability is actively exploited in the wild by the Stealth Falcon APT group, who are using malicious .url files to execute code from actor-controlled WebDAV servers, particularly targeting Middle Eastern organizations and Turkish defense entities. This is the first recorded zero-day vulnerability in WebDAV.
Affected products and versions:
| PROTOCOL
NAME |
AFFECTED
VERSION(S) |
AFFECTED
CPE(S) |
| Web Distributed Authoring and Versioning (WebDAV) | Windows Server 2025 (Server Core installation)
Windows Server 2022 Windows Server 2019 Windows Server 2016
|
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:(x86, x64)*
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:(x86, x64)* cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:(x86, x64)* cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:(arm64, x86, x64)* cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:(arm64, x86, x64)* cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:(arm64, x64)* cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:(arm64, x64)* cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:(arm64, x64)* cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:(x86, x64)* cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:x64:* cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:x64:* |
Why is it noteworthy?
This vulnerability carries critical severity and poses a significant risk to organizations that rely on WebDAV services for file management and collaboration. The fact that it has been actively exploited in the wild by the Stealth Falcon APT group underscores the urgency for organizations to apply the necessary patches. Additionally, the ability to execute arbitrary code remotely through external control of file paths presents a severe threat to data integrity and confidentiality, making it a prime target for nation-state actors and cybercriminals.
What is the exposure or risk?
Organizations using WebDAV services are at significant risk if they do not address this vulnerability. The exposure includes:
- Data breach: Attackers can gain remote access to sensitive corporate files and systems through WebDAV manipulation, potentially leading to data breaches and compliance violations.
- System compromise: Exploitation of this vulnerability allows RCE, enabling attackers to install malware, establish persistence, and move laterally through networks.
- Espionage activities: The Stealth Falcon APT group’s active exploitation demonstrates the vulnerability’s use for cyber espionage, particularly targeting government and defense organizations.
- Operational disruption: Successful attacks can disrupt business operations, resulting in system downtime, data corruption, and a loss of productivity across file-sharing and collaboration platforms.
- Reputation damage: A successful attack could damage an organization’s reputation, eroding customer trust and confidence, particularly given the high-profile nature of this zero-day vulnerability.
The risk is compounded by the fact that this vulnerability is being actively exploited by sophisticated threat actors, requires no authentication, and affects a widely-deployed protocol, making immediate remediation essential.
What are the recommendations?
Barracuda recommends the following actions to limit the impact of CVE-2025-33053:
- Apply the Microsoft June 2025 Patch Tuesday updates immediately to address the vulnerability across all Windows systems running WebDAV services.
- Disable the WebDAV service entirely if it is not business-critical to eliminate the attack surface.
- Implement enhanced monitoring for unusual WebDAV traffic, suspicious file path requests, and indicators of compromise related to Stealth Falcon APT activities.
- Review and update security policies to reflect the evolving threat landscape. Ensure strict enforcement of network access controls for WebDAV services.
- Isolate systems running WebDAV services and restrict network access to only necessary users and systems through effective network segmentation.
- Educate IT staff through training sessions to recognize potential exploitation attempts and understand the importance of applying security updates promptly.
References
For more in-depth information about the recommendations, please visit the following links:
- https://nvd.nist.gov/vuln/detail/CVE-2025-33053.
- https://www.bleepingcomputer.com/news/security/stealth-falcon-hackers-exploited-windows-webdav-zero-day-to-drop-malware/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.