Cyber Resilience

CVE-2025-33053

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 June 2025

Published
10 June 2025
Modified
27 October 2025
KEV Added
10 June 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5028 97.9th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-33053 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2025-33053 is an external control of file name or path vulnerability in Internet Shortcut Files that enables remote code execution over a network. The flaw, tracked under CWE-73, carries a CVSS 3.1 score of 8.8 and affects Windows handling of .url shortcut files, particularly through WebDAV interactions.

An unauthenticated attacker can exploit the issue by supplying a malicious Internet Shortcut File that the victim opens, triggering code execution on the target system. The attack requires user interaction but needs no privileges and results in full compromise of confidentiality, integrity, and availability.

Microsoft has published remediation guidance in its security update guide, while multiple security vendors have released detailed analyses of the flaw and associated attack chains. The vulnerability was exploited in the wild as a zero-day by the Stealth Falcon APT group against a Turkish defense organization to deliver malware, and the EPSS score remains elevated near its recorded peak of 0.5487.

EU & UK References

Vulnerability details

External control of file name or path in Internet Shortcut Files allows an unauthorized attacker to execute code over a network.

CWE(s)
KEV Date Added
10 June 2025

Related Threats

Threat-Actor AttributionAI

Checkpoint Research, BleepingComputer and The Record attribute exploitation of this WebDAV zero-day to Stealth Falcon (June 2025 reporting).

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.21034 · ≤ 10.0.10240.21034
microsoft
windows 10 1607
≤ 10.0.14393.8148 · ≤ 10.0.14393.8148
microsoft
windows 10 1809
≤ 10.0.17763.7434 · ≤ 10.0.17763.7434
microsoft
windows 10 21h2
≤ 10.0.19044.5965 · ≤ 10.0.19044.5965 · ≤ 10.0.19044.5965
microsoft
windows 10 22h2
≤ 10.0.19045.5965 · ≤ 10.0.19045.5965 · ≤ 10.0.19045.5965
microsoft
windows 11 22h2
≤ 10.0.22621.5472 · ≤ 10.0.22621.5472
microsoft
windows 11 23h2
≤ 10.0.22631.5472 · ≤ 10.0.22631.5472
microsoft
windows 11 24h2
≤ 10.0.26100.4270 · ≤ 10.0.26100.4270
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of externally supplied file names and paths in Internet Shortcut Files before they are processed, blocking the CWE-73 vector at its root.

prevent

Mandates automated malicious-code detection and blocking for untrusted files such as malicious .url shortcuts delivered over the network or WebDAV.

SC-18 Mobile Code partial match
prevent

Restricts acceptance and execution of mobile code (Internet Shortcut Files) from untrusted sources, limiting the network-based code-execution path.

References