External risk intelligence

Microsoft Windows Internet Shortcut Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2025-33053

Windows systems are affected by a vulnerability in Internet Shortcut files that allows an unauthorized attacker to execute code remotely. This poses a business risk as it could lead to a compromise of system integrity and data confidentiality. Organizations should apply vendor patches and monitor for related security e

2Halo Surface Signal

Microsoft Windows 10 1507

before 10.0.10240.21034before 10.0.14393.8148before 10.0.17763.7434before 10.0.19044.5965before 10.0.19045.5965before 10.0.22621.5472before 10.0.22631.5472before 10.0.26100.4270r2;...

External exposure likelihood

Halo Surface Signal score for CVE-2025-33053

The vulnerability requires user interaction to open a specially crafted Internet Shortcut file. While it enables remote code execution via WebDAV, the attack surface is not a public-facing service but a client-side vector necessitating social engineering to convince a user to access the malicious file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects Internet Shortcut files within Microsoft Windows. The core issue lies in how these files handle external control of file names and paths. This flaw can permit an unauthorized attacker to execute code remotely.

  • Vulnerable component: Internet Shortcut files
  • Core weakness: External file path control
  • Main business impact: Remote code execution

Attack Path

How an attacker could exploit the issue

An attacker could exploit a vulnerability in Internet Shortcut files to execute code remotely. This occurs when an attacker can control the file path within an Internet Shortcut, potentially leading to code execution from a WebDAV location. The attack requires the user to interact with a specially crafted shortcut file to initiate the exploit.

  • Exposure condition: Network accessible file.
  • Attacker starting point: Unauthenticated.
  • Trigger and result: User opens shortcut, attacker executes code.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an attacker to execute code over a network by manipulating file paths within Internet Shortcut files. Successful exploitation could lead to unauthorized code execution, impacting system integrity and data confidentiality. The risk associated with this vulnerability is significant, requiring prompt attention from affected organizations.

  • Likely attacker skill level: Low
  • Required access or conditions: User interaction with a malicious file
  • Business risk or urgency: High, treat as urgent

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows an unauthorized attacker to execute code over a network by manipulating Internet Shortcut files. The exploitation requires user interaction, such as opening a crafted shortcut file, to trigger the remote code execution. This presents a business risk, as it could lead to unauthorized access and control of affected systems.

  • Identify systems that handle Internet Shortcut files.
  • Isolate systems or restrict file handling.
  • Apply vendor fixes and validate.
  • Monitor for related security events.

Frequently asked questions

What is the primary weakness in Microsoft Windows that allows for remote code execution through Internet Shortcut files?

The core weakness is CWE-73, which describes an 'External control of file name or path'. This allows an attacker to manipulate the file path within an Internet Shortcut file, potentially directing it to a remote WebDAV location and triggering code execution.

How can an attacker exploit the 'External control of file name or path' vulnerability in Windows Internet Shortcut files?

An attacker can exploit this by crafting a malicious Internet Shortcut (.url) file. When a user opens this file, it can cause the system to fetch and execute code from a remote WebDAV server controlled by the attacker.

What is required for an attacker to successfully exploit this vulnerability, and what is the potential impact on a business?

Successful exploitation requires user interaction, meaning a user must open the malicious Internet Shortcut file. The impact can be significant, as it allows for remote code execution, potentially leading to unauthorized access, data breaches, and system compromise.

What actions should organizations take to mitigate the risks associated with the Microsoft Windows 'External control of file name or...

Organizations should apply vendor-provided fixes for Microsoft Windows, identify systems that handle Internet Shortcut files, and consider isolating affected systems or restricting the handling of such files. Monitoring for related security events is also crucial.

What systems are identified as being affected by the CVE-2025-33053 vulnerability?

This vulnerability affects various versions of Microsoft Windows, including Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H2, 23H2, 24H2), and multiple Windows Server versions (2008, 2012, 2016, 2019, 2022, 2022 23H2, 2025).

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified