Emerging Threathighexperimental

Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Jun 1304fc4b22-91a6-495a-879d-0144fec5ec032025

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection_img_path:
        Image|startswith: '\\\\'
        Image|contains: '\DavWWWRoot\'
    selection_img_bin:
        Image|endswith:
            - '\route.exe'
            - '\netsh.exe'
            - '\makecab.exe'
            - '\dxdiag.exe'
            - '\ipconfig.exe'
            - '\explorer.exe'
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

msrc.microsoft.com

Resolving title…

research.checkpoint.com

MITRE ATT&CK

Tactics

TA0011 · Command and Control TA0002 · Execution TA0005 · Defense Evasion TA0008 · Lateral Movement

Techniques

T1218 · System Binary Proxy Execution T1105 · Ingress Tool Transfer

Other

detection.emerging-threatscve.2025-33053

Related Rules

SimilarEmerging Threathigh

Potential Exploitation of RCE Vulnerability CVE-2025-33053

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 which involves unauthorized code execution via WebDAV through external control of file names or paths. The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating their working directories to point to attacker-controlled WebDAV servers, causing them to execute malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries through Process.Start() search order manipulation.

Detects similar activity. Both rules may fire on overlapping events.

SimilarEmerging Threathigh

Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe) accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers instead of legitimate system binaries. The vulnerability allows unauthorized code execution through external control of file names or paths via WebDAV.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

04fc4b22-91a6-495a-879d-0144fec5ec03

Status

experimental

Level

high

Type

Emerging Threat

Created

Fri Jun 13

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml

Raw Tags

attack.command-and-controlattack.executionattack.defense-evasionattack.t1218attack.lateral-movementattack.t1105detection.emerging-threatscve.2025-33053

View on GitHub