Stealth Falcon APT Exploits Microsoft RCE Zero-Day in Mideast www.darkreading.com/vulnerabi…

Nation-state adversaries have been exploiting a zero-day security vulnerability in Microsoft’s Web Distributed Authoring and Versioning (WEBDAV), allowing one-click remote code execution (RCE) on target systems.

WEBDAV is a protocol that extends the functionality of HTTP, allowing users to interact with files on a Web server in a more collaborative and feature-rich way. According to Check Point Research (CPR), the important-rated bug (CVE-2025-33053, CVSS 8.8) is being used by the Stealth Falcon advanced persistent threat (APT) group to compromise high-profile defense entities in the Middle East. Hallmarks of the campaign are “deceptive URL files, WebDAV servers, and legitimate Windows tools to silently execute custom spyware, including a new [custom] implant: Horus Agent,” the researchers said, noting that Stealth Falcon’s advanced tradecraft also includes living off the land (LOLBins).

Fortunately, CVE-2025-33053 is one of 66 patched by Microsoft in its June Patch Tuesday release today. As Dustin Childs at Trend Micro’s Zero Day Initiative noted in a blog post covering the June update, the exploitation is concerning enough that the computing giant even addressed the flaw in end-of-life platforms.