CVE-2025-33053

HIGH KEV LAB

CVE-2025-33053 Exploit via Malicious .URL File and WebDAV

Title source: metasploit

Exploitation Summary

CVE-2025-33053 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 10, 2025. EIP tracks 6 public exploits from researchers including DevBuiHieu, 4n4s4zi, kra1t0, including a Metasploit module exploits/windows/fileformat/unc_url_cve_2025_33053.

AI-analyzed exploit summary This repository provides scripts to deploy a WebDAV server and generate malicious `.url` shortcut files for phishing or lateral movement. The PoC leverages CVE-2025-33053 to trick victims into connecting to a malicious WebDAV server.

Description

External control of file name or path in Internet Shortcut Files allows an unauthorized attacker to execute code over a network.

Exploits (6)

nomisec WORKING POC 64 stars

by DevBuiHieu · client-side

https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept

View Code ZIP pw:eip

This repository provides scripts to deploy a WebDAV server and generate malicious `.url` shortcut files for phishing or lateral movement. The PoC leverages CVE-2025-33053 to trick victims into connecting to a malicious WebDAV server.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Windows systems with vulnerable `.url` file handling

No auth needed

Prerequisites: Ubuntu 20.04 or newer · Root privileges · Python 3.x · Apache2

MITRE ATT&CK

T1204 - User Execution T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by 4n4s4zi · client-side

https://github.com/4n4s4zi/CVE-2025-33053_PoC

View Code ZIP pw:eip

This PoC exploits CVE-2025-33053 by leveraging a .url file to redirect Windows clients to a malicious WebDAV server, where a fake 'route.exe' binary is executed via DLL hijacking when 'iediagcmd.exe' is launched. The setup script automates the creation of a WebDAV server to host the malicious payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows (via Internet Explorer diagnostics executable 'iediagcmd.exe')

No auth needed

Prerequisites: Linux host for WebDAV server · Windows client to open the malicious .url file · Malicious 'route.exe' payload

MITRE ATT&CK

T1204 - User Execution T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by kra1t0 · poc

https://github.com/kra1t0/CVE-2025-33053-WebDAV-RCE-PoC-and-C2-Concept

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2025-33053, demonstrating how a malicious `.url` file can be used to execute arbitrary code via WebDAV. The PoC includes a decoy PDF and simulates C2 behavior without actual malicious payloads.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 (1809 – 22H2), Windows 11 (21H2 – 23H2), Windows Server 2016 / 2019 / 2022

No auth needed

Prerequisites: WebClient service enabled · User interaction to open the `.url` file

MITRE ATT&CK

T1189 - Drive-by Compromise T1204 - User Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by TheTorjanCaptain · poc

https://github.com/TheTorjanCaptain/CVE-2025-33053-Checker-PoC

View Code ZIP pw:eip

This repository contains a legitimate PoC and checker for CVE-2025-33053, a WebDAV-based RCE vulnerability in Windows systems. The PoC simulates a WebDAV server to detect PROPFIND requests, while the checker verifies system vulnerability via WebClient service and UNC path handling.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows systems with WebClient service enabled

No auth needed

Prerequisites: WebClient service running on target · UNC path resolution enabled · Network access to target

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Cyberw1ng · poc

https://github.com/Cyberw1ng/CVE-2025-33053-POC

View Code ZIP pw:eip

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 (1809 – 22H2), Windows 11 (21H2 – 23H2), Windows Server 2016 / 2019 / 2022

No auth needed

Prerequisites: WebClient service enabled · User interaction to open the `.url` file

MITRE ATT&CK

T1204 - User Execution T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Alexandra Gofman, David Driker, Dev Bui Hieu · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/unc_url_cve_2025_33053.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2025-33053 by generating a malicious .URL file that triggers unintended behavior via a trusted LOLBAS binary, optionally hosting a payload on a WebDAV directory for remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Windows (generic)

No auth needed

Prerequisites: Victim interaction to open the malicious .URL file · Network access to the attacker's SMB/WebDAV server

MITRE ATT&CK