Microsoft has released a patch to fix 67 security flaws, including Web distributed authoring and zero-day bugs in versions (WebDAV).
Of the 67 vulnerabilities, 11 are rated as important in severity and 56 are rated. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws.
The patch adds to the 13 drawbacks the company has addressed in Chromium-based Edge browsers since the release of the patch Tuesday update last month.
The vulnerability weaponized in actual attacks relates to remote code execution in WebDAV (CVE-2025-33053, CVSS score: 8.8).
The tech giant praised Checkpoint researchers Alexandra Goffman and David Dricker for discovering and reporting the bug. It is worth mentioning that CVE-2025-33053 is the first zero-day vulnerability disclosed in the WebDAV standard.
In another report, cybersecurity firms attributed CVE-2025-33053’s abuse to a threat actor known as Stealth Falcon (aka FruityArmor), which has a history of leveraging Windows Zero Day in attacks. In September 2023, hacking groups were observed using backdoors called deadglyphs as part of a spying activity targeting Qatar and Saudi Arabian entities.
“The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to run malware from an actor-controlled WebDav server,” Check Point said. “CVE-2025-33053 allows remote code execution through working directory operations.”
In the attack chain observed against an unnamed Turkish defense company, the threat actor is said to have adopted CVE-2025-33053 to deliver the Horus Agent, a custom implant built for the mythical command and control (C2) framework. The malicious payload used to launch an attack, a URL shortcut file, is believed to have been sent as an attachment archived in a phishing email.
The URL file is used to launch IEDIAGCMD.EXE, a legal diagnostic utility in Internet Explorer, and utilizes it to launch another payload called Holsloader.
“Implants written in C++ show no significant overlap with known C-based mythological agents, except for the commonality of general logic related to mythological C2 communication,” Checkpoint said. “The loader ensures that some measures are implemented to protect the payload, but threat actors have imposed additional precautions on the backdoor itself.”
This involves the use of string encryption and flattening methods of control flow, complicating analytical efforts. The backdoor then connects to a remote server to collect system information, enumerate files and folders, download files from the server, insert shellcode into the running process, and get tasks that can exit the program.
The Horus agent is rated as an evolution of customized Apollo implants, the open source .NET agent for the Mythic Framework that was previously used by Stealth Falcon between 2022 and 2023.
“Horus is a more advanced version of custom apollo implants for threat groups that have been rewritten, improved and refactored in C++,” Checkpoint said.
“Like the Horus version, the Apollo version introduces a wide range of victim fingerprinting capabilities, while limiting the number of supported commands. This allows threat actors to focus on stealth identification of infected machines and next-stage payload delivery, but the implant size is significantly smaller than the full agent.”
The company also said it observed threat actors who are leveraging several previously undocumented tools like the ones they previously said —
A credential damper targeting an already forced domain controller will steal files related to Active Directory and Domain Controller credentials. Passive backdoor.
Keyloggers do not have a particular C2 mechanism. This means it could work in conjunction with another component that can remove the file by an attacker.
“Stealth Falcon uses commercial code obfuscation and protection tools, as well as custom modified versions tailored to the various payload types,” Checkpoint said. “This makes the tool more difficult to reverse engineering and complicate tracking technical changes over time.”
Active exploitation of CVE-2025-33053 encourages the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to the known Exploited Vulnerabilities (KEV) catalogue and calls for Federal Private Enforcement Division (FCEB) agencies to apply FIX by July 1, 2025.
“What is particularly concerning about this flaw is the widespread use of WebDAV in enterprise environments for remote file sharing and collaboration,” says Mike Walters, president and co-founder of Action1. “Many organizations enable WebDAV for legitimate business needs, often without a complete understanding of the security risks they implement.”
The most serious vulnerability resolved by Microsoft is a flaw in privilege escalation in Power Automate (CVE-2025-47966, CVSS score: 9.8) that could allow an attacker to increase privileges on the network. However, there is no customer action needed to mitigate the bug.
Other notable vulnerabilities include increased privilege flaws in common log file system drivers (CVE-2025-32713, CVSS score: 7.8), Windows Netlogon (CVE-2025-33070, CVSS score: 8.1), and Windows SMB clients (CVE-2025-33073, CVS score: 8.8SS score: 8.8), 8.8), and Windows Netlogon (CVE-2025-33070, CVSS score: 8.1). Windows KDC Proxy Service (CVE-2025-33071, CVSS score: 8.1).
“Over the past few months, CLFS drivers have become a consistent focus for both threat actors and security researchers due to the exploitation of multiple ransomware operations,” says Immersive’s lead cybersecurity engineer.
“This is classified as a heap-based buffer overflow. It is a type of memory corruption vulnerability. The complexity of the attack is considered low, allowing exploitation to escalate privileges by attackers.”
Adam Barnett, lead software engineer at Rapid7, said the exploitation of CVE-2025-33071 requires attackers to exploit cryptographic flaws and win the race state.
“The bad news is that Microsoft considers exploitation more likely regardless of that, and KDC proxy itself is likely to be exposed to non-stressed networks, as it helps to make trusted assets easier to access without the need for a direct TCP connection from an untrusted network from a client to a domain controller.”
Lastly, Microsoft has deployed a patch to repair a safe boot bypass bug (CVE-2025-3052, CVSS score: 6.7) discovered by Binarly that allows unreliable software to run.
“There is a vulnerability in UEFI applications signed with Microsoft’s third-party UEFI certificates, which allows attackers to bypass UEFI secure boots,” Redmond said in an alert. “Attackers who successfully exploited this vulnerability could bypass a secure boot.”
In an advisory released Tuesday, the CERT Coordination Center (CERT/CC) found that the vulnerability is rooted in the integrated extended firmware interface (UEFI) applications DTBIOS and BIOSFLASHSHELL, which uses specially created NVRAM variables to allow for safe boot bypass.
“The vulnerability is attributed to improper handling of runtime NVRAM variables that allow for any write primitives that can modify critical firmware structures, including the Global Security 2 architecture protocol used for secure boot validation,” CERT/CC said.
“Because affected applications are signed by the Microsoft UEFI Certificate Authority, this vulnerability could be exploited by any UEFI compliant system, which could allow unsigned code to be executed during the boot process.”
The successful exploitation of the vulnerability can allow unsigned or malicious code to be executed, even before the operating system is loaded, allowing attackers to withstand reboots and remove persistent malware that can disable security software.
However, Microsoft is not affected by CVE-2025-4275 (also known as Hydroph0Bia). This exists another secure boot bypass vulnerability present in the Insyde H2O UEFI application that allows for the injection of digital certificates through unsecured NVRAM variables (“Secureflashcertdata”) and registers with the station.
“This issue arises from the insecure use of NVRAM variables, which is used as trusted storage for digital certificates in the trust verification chain,” CERT/CC said. “Attackators can store their own certificates in this variable and then run any firmware (signed with the injected certificate) during the early boot process within the UEFI environment.”
Source link
