ACG-CYBER SECURITY BULLETIN NR 396: Understanding CVE‑2025‑33053: A WebDAV Security Risk in Windows

Posted on July 2, 2025

Reference Number: ACG-CSB 061825396

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

Clicking on what seems to be a simple office document can sometimes lead to a hidden cyberattack. This is the case with a newly discovered Windows vulnerability that allows attackers to run harmful code using a feature called Web Distributed Authoring and Versioning.

Web Distributed Authoring and Versioning (WebDAV) is a Windows feature that allow people to access and manage files stored on another computer over the internet, as if those files were on their own computer. It is often used in offices where teams need to work on shared documents from different places. With WebDAV, users can open, edit, move, or save files remotely without sending them back and forth. However, if not properly secured, this feature can be misused by threat actors to trick the system into running harmful files, which is why updates and cautious setup are important.

By disguising a shortcut file and linking it to a server that is controlled by threat actor, they can quietly take advantage of trusted Windows tools to launch their attack. This security issue, known as CVE‑2025‑33053, has already been used in real-world incidents. Learning how it works and how to stay protected is important for anyone using a Windows system. CVE, which stands for Common Vulnerabilities and Exposures, is a public database that lists known cybersecurity weaknesses to help organizations identify and fix security risks.

This vulnerability becomes a serious issue because it can happen just by opening a file that seems normal. The threat actor doesn’t need to be on the same network. If the file is opened, the computer can be controlled by the attacker, depending on what the user is allowed to do on the system. This can lead to stealing of personal files, spying, or even installing other dangerous software because threat actor uses a method that takes advantage of how trusted Windows programs choose which files to run. They set up a WebDAV server that they control and places a harmful file in it, using a name that a trusted Windows program usually looks for. They then send a shortcut file (.url) that tricks the system into launching a trusted tool, like route.exe, with its working folder set to that WebDAV server. When the tool runs, it automatically loads the malicious file from the attacker’s server, allowing harmful code to run without alerting the victim or triggering security warnings.

In an office setting, an employee might receive an email with a file that appears to be a routine document, like a PDF report or form. Trusting the source, the employee clicks the file, unaware that it is actually a shortcut linked to a WebDAV server controlled by an attacker. This action triggers a trusted Windows tool, such as print.exe or colorcpl.exe, to run with its working directory set to that server. Because the tool looks for certain files in its starting folder, it ends up loading a harmful file the attacker placed there. Since the program is trusted by the system, no warnings appear, and the malicious code runs quietly in the background. This method allows attackers to bypass security measures and gain control without raising suspicion.

To stay safe, it’s important to install the latest updates from Microsoft. These updates fix the problem so attackers can’t use it anymore. It also helps to turn off WebDAV if it’s not needed. Being careful with files from unknown sources and not opening strange shortcuts can also help prevent this type of attack.

RECOMMENDATION

The public is encouraged to follow these safety tips to help prevent falling victim to this security issue:

Install the latest Microsoft security update from June 2025. This update fixes the weakness in Windows that allows attackers to run harmful files through WebDAV. Installing the update blocks known methods used in current attacks;
Use firewalls to block WebDAV connections from the internet. Firewalls can stop outside connections from reaching WebDAV services. This prevents attackers from using their own servers to send harmful files to users;
Use antivirus software that scans new files and apps. Antivirus tools can block harmful files downloaded through WebDAV, even before they run. This adds another layer of protection if someone accidentally opens a dangerous file;
Scan the system regularly for weak spots that attackers might use. Tools that check for missing updates or unsafe settings can help fix problems before attackers find them. Regular scanning ensures the system stays protected as threats evolve; and
Keep backup copies of important data somewhere safe. If an attacker does manage to cause damage, backups allow recovery without paying ransom or losing information. The backups should not be connected to the network all the time.

For additional information, please refer to the following websites:

https://www.kaspersky.com/blog/cve-2025-33053-june-2025-patch-tuesday/53630/
https://socprime.com/blog/cve-2025-33053-zero-day-webdav-vulnerability/
https://nvd.nist.gov/vuln/detail/CVE-2025-33053
https://www.cve.org/CVERecord?id=CVE-2025-33053

POINT OF CONTACT

Please contact PLTCOL JERRY V EMPIZO, Acting Chief, Cyber Security Unit, thru e-mail address csradacgroup@gmail.com or contact us by telephone number (632) 723-0401 local 7488 for any inquiries related to this CYBER SECURITY BULLETIN.