Exploitation for Priv-Esc × Microsoft Windows (WebDAV component)

A publicly-reported instance of Exploitation for Priv-Esc bypassing Microsoft Windows (WebDAV component), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows (WebDAV component)

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2025-06-10

Config / version noted

Not stated

Provenance

cybersecuritynews.com
disclosed 2025-06-10 · original source · via exa

Reported as

exploited a zero-day remote code execution vulnerability (CVE-2025-33053) in Windows WebDAV

Mechanism

A malicious .url file points to iediagcmd.exe but sets the working directory to an attacker-controlled WebDAV server. Due to .NET Process.Start() search order, the legitimate tool loads and executes a malicious route.exe from the remote server via process hollowing, bypassing signature-based defenses.

Detection & mitigation

Monitor for unexpected network connections from diagnostic tools like iediagcmd.exe, especially to external WebDAV servers (port 80/443 with WebDAV methods). Deploy attack surface reduction rules to block executable content from WebDAV and restrict .url file handling from untrusted sources.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.