⚠ Actively exploited
Added to CISA KEV on 2025-06-10. Federal agencies required to patch by 2025-07-01. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-33053External Control of File Name or Path in Microsoft Windows 10 Version 1507

CWE-73External Control of File Name or Path24 documents15 sources
Severity
8.8HIGHNVD
EPSS
50.3%
top 2.15%
CISA KEV
KEV
Added 2025-06-10
Due 2025-07-01
Exploit
PoC available
Public exploit / PoC exists
Affected products
27
Microsoft Windows 10 Version 1507Microsoft Windows 10 Version 1607Microsoft Windows 10 Version 1809+24 more
Timeline
PublishedJun 10
KEV addedJun 10
KEV dueJul 1
Latest updateDec 10
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

External control of file name or path in Internet Shortcut Files allows an unauthorized attacker to execute code over a network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages26 packages

NVDmicrosoft/windows< 10.0.14393.8148+5
NVDmicrosoft/windows_10_1507< 10.0.10240.21034
NVDmicrosoft/windows_10_1607< 10.0.14393.8148
NVDmicrosoft/windows_10_1809< 10.0.17763.7434
NVDmicrosoft/windows_10_21h2< 10.0.19044.5965

🔴Vulnerability Details

3
GHSA
GHSA-26qv-p8cr-jxp5: External control of file name or path in WebDAV allows an unauthorized attacker to execute code over a network2025-06-10
CVEList
Internet Shortcut Files Remote Code Execution Vulnerability2025-06-10
VulnCheck
Microsoft Windows External Control of File Name or Path Vulnerability2025

💥Exploits & PoCs

2
Exploit-DB
WebDAV Windows 10 - Remote Code Execution (RCE)2025-06-15
Metasploit
CVE-2025-33053 Exploit via Malicious .URL File and WebDAV

🔍Detection Rules

1
Elastic
Potential CVE-2025-33053 Exploitation

📋Vendor Advisories

2
CISA
Microsoft Windows External Control of File Name or Path Vulnerability2025-06-10
Microsoft
Internet Shortcut Files Remote Code Execution Vulnerability2025-06-10

🕵️Threat Intelligence

15
Tenable
Patch Tuesday 2025 Year In Review2025-12-10
Securelist
Exploits and vulnerabilities in Q2 20252025-08-27
Securelist
Vulnerability landscape analysis for Q2 20252025-08-27
Bleepingcomputer
Microsoft fixes Surface Hub boot issues with emergency update2025-06-17
Bleepingcomputer
Microsoft: KB5060533 update triggers boot errors on Surface Hub v1 devices2025-06-13
CVE-2025-33053 — External Control of File Name or Path | cvebase