Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load

Rule Info

Name
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
Reference
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
Date
2025-06-13 00:00:00
Modified
None
Id
04fc4b22-91a6-495a-879d-0144fec5ec03
Tags
attack.execution attack.defense-evasion attack.t1218 attack.lateral-movement attack.t1105 detection.emerging-threats cve.2025-33053
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=04fc4b22-91a6-495a-879d-0144fec5ec03

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5479 from @swachchhanda000 - Webdav CVE-2025-33053 RCE vulnerability
2025-06-13
8721fa654
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022