CVE-2025-33053
CVE-2025-33053 is tracked here through 3 Sigma detections for exploitation attempts and related post-exploitation behavior observed in 2025. Coverage centers on windows / image_load, windows / process_access, windows / process_creation.
Potential Exploitation of RCE Vulnerability CVE-2025-33053
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 which involves unauthorized code execution via WebDAV through external control of file names or paths. The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating their working directories to point to attacker-controlled WebDAV servers, causing them to execute malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries through Process.Start() search order manipulation.
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe) accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers instead of legitimate system binaries. The vulnerability allows unauthorized code execution through external control of file names or paths via WebDAV.