Microsoft’s June 2025 Patch Tuesday and the WebDAV Vulnerability
On June 11, 2025, Microsoft released its monthly Patch Tuesday updates, addressing a range of security issues. Among the 66 to 67 fixes for the Windows ecosystem, one stood out as particularly urgent: a vulnerability in the Web Distributed Authoring and Versioning (WebDAV) protocol, already exploited by malicious actors. Known as CVE-2025-33053, this flaw demands immediate attention.
The Core Issue: WebDAV Vulnerability
CVE-2025-33053, a remote code execution (RCE) vulnerability in WebDAV, a protocol used to manage files on remote servers. Rated “Important” with a CVSS score of 8.8 out of 10, this flaw allows attackers to run malicious code over a network.
The attack is often triggered when a user clicks on a deceptive link or visits a malicious website, enabling what’s known as a drive-by download. The issue arises from how WebDAV processes commands like PUT and MOVE, especially when the service is misconfigured or exposed unnecessarily.
What’s concerning is the scope of impact. Every supported version of Windows—from older Server 2008 to the latest Windows 11 24H2 and the upcoming Server 2025—is at risk. Interestingly, Microsoft deprecated WebDAV in November 2023, meaning it’s no longer a recommended feature.
However, since it remains in many systems (even if disabled by default), Microsoft issued patches to close this gap. This situation underlines a key lesson: even outdated technology can pose significant risks if not properly managed.
Stealth Falcon’s Targeted Attacks
What elevates this vulnerability from a potential risk to a real-world concern is its active exploitation by Stealth Falcon, also known as FruityArmor, an advanced persistent threat (APT) group linked to the United Arab Emirates.
This group is known for targeting high-value entities, including government agencies, defense sectors, and critical infrastructure in the Middle East and Africa, spanning countries like Turkey, Qatar, Egypt, and Yemen.
Their approach is calculated and deceptive. The attack often begins with spear-phishing emails containing what appears to be a harmless PDF document. In reality, it’s a disguised internet shortcut (.url file) that connects to a malicious WebDAV server when clicked on.
From there, the attackers use legitimate Windows tools, such as iediagcmd.exe (an Internet Explorer diagnostics utility), to deploy custom malware called Horus Agent. This malware is built to evade detection and activate only on specific, high-value targets, underscoring the group’s focus on espionage rather than widespread disruption.
Other Patch Tuesday Fixes
While the WebDAV flaw grabbed headlines, Microsoft’s June 2025 Patch Tuesday addressed a broader set of concerns. The update included fixes for 9 to 11 other critical-severity vulnerabilities, each with the potential for remote code execution. These spanned various Windows components, including Microsoft SharePoint Server, Office, Windows Netlogon, Remote Desktop Services, and Schannel.
Additionally, a separate issue, CVE-2025-3052, was patched in a UEFI application signed with a trusted Microsoft third-party certificate, which could have allowed attackers to bypass Secure Boot protections. This range of fixes highlights the ongoing challenges of securing complex systems.
Steps to Prevent Your Organization
Considering these threats, Microsoft and cybersecurity experts are urging organizations to take swift action. Here are practical steps to protect your systems:
Action Required
To ensure comprehensive protection, organizations must take the following additional steps as part of their response strategy. Partner with Auriseg and apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Acting swiftly on these recommendations is critical to minimizing risk and securing your environment against these and future threats.
Key Takeaways