Potential Exploitation of RCE Vulnerability CVE-2025-33053

Rule Info

Name
Potential Exploitation of RCE Vulnerability CVE-2025-33053
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 which involves unauthorized code execution via WebDAV through external control of file names or paths. The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating their working directories to point to attacker-controlled WebDAV servers, causing them to execute malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries through Process.Start() search order manipulation.
Reference
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
Date
2025-06-13 00:00:00
Modified
None
Id
abe06362-a5b9-4371-8724-ebd00cd48a04
Tags
attack.execution attack.defense-evasion attack.t1218 attack.lateral-movement attack.t1105 detection.emerging-threats cve.2025-33053
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=abe06362-a5b9-4371-8724-ebd00cd48a04

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5479 from @swachchhanda000 - Webdav CVE-2025-33053 RCE vulnerability
2025-06-13
8721fa654
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022