Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access

Rule Info

Name
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe) accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers instead of legitimate system binaries. The vulnerability allows unauthorized code execution through external control of file names or paths via WebDAV.
Reference
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
Date
2025-06-13 00:00:00
Modified
None
Id
9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
Tags
attack.execution attack.defense-evasion attack.t1218 attack.lateral-movement attack.t1105 detection.emerging-threats cve.2025-33053
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5479 from @swachchhanda000 - Webdav CVE-2025-33053 RCE vulnerability
2025-06-13
8721fa654
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022