CVE-2025-33053
Published: 10 June 2025
Summary
CVE-2025-33053 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
CVE-2025-33053 is an external control of file name or path vulnerability in Internet Shortcut Files that enables remote code execution over a network. The flaw, tracked under CWE-73, carries a CVSS 3.1 score of 8.8 and affects Windows handling of .url shortcut files, particularly through WebDAV interactions.
An unauthenticated attacker can exploit the issue by supplying a malicious Internet Shortcut File that the victim opens, triggering code execution on the target system. The attack requires user interaction but needs no privileges and results in full compromise of confidentiality, integrity, and availability.
Microsoft has published remediation guidance in its security update guide, while multiple security vendors have released detailed analyses of the flaw and associated attack chains. The vulnerability was exploited in the wild as a zero-day by the Stealth Falcon APT group against a Turkish defense organization to deliver malware, and the EPSS score remains elevated near its recorded peak of 0.5487.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-17721
Vulnerability details
External control of file name or path in Internet Shortcut Files allows an unauthorized attacker to execute code over a network.
- CWE(s)
- KEV Date Added
- 10 June 2025
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of externally supplied file names and paths in Internet Shortcut Files before they are processed, blocking the CWE-73 vector at its root.
Mandates automated malicious-code detection and blocking for untrusted files such as malicious .url shortcuts delivered over the network or WebDAV.
Restricts acceptance and execution of mobile code (Internet Shortcut Files) from untrusted sources, limiting the network-based code-execution path.