microsoft turned me down
Key Takeaways
Analyzes a zero-day vulnerability in Microsoft and discusses stealth falcon exploits
Full Transcript
Hey, you guys know that I tend to go in cold for video recordings like this, right? Like I get an idea, I get a general sense of what I'm going to do, I try to figure out oh, the cool things that I like that I want to show you, and then I just kind of talk. And I know I can ramble a little bit, and that might make for a long video. And I have a hunch this video is going to be a long video. Whether or not I ramble, which I don't know, I probably will, but uh there's a lot of cool stuff that I want to show you. Cuz this video started as one idea that I originally wanted to make a video on, and then it became and turned into something that could be another idea that might be worth another video, and now it's just kind of a thing that I hope we can dig into. And this all starts from a recent research write-up and article put out by the Check Point team, Check Point Research, when they shared CVE-2025-33053 and Stealth Falcon and Horus, a Saga of Middle Eastern Cyber Espionage. I will, of course, put a link to this in the video description. Uh I can't zoom in super duper well on this website, but we won't spend too much time here. Of course, I really recommend you look through all this with the link below in the video description, but what I want to zoom in on was this vulnerability that they got to showcase, CVE-2025-33053 and .url files. In this malware infection chain of this Middle Eastern Cyber Espionage stuff that you could read about, again, linked below. There was a file named tlm.005 telescopic_mast_hazar_builddurum_wrapperu.pdf.url. Apparently, that's translated from Turkish, sorry, telescopic mast damage report. And that was submitted by VirusTotal by source associated with the major Turkish defense company. Based on the name pattern and the previous history of Stealth Falcon or this actor and their attacks, the .url file was likely sent as an archived attachment in a phishing email. So, some social engineering at play, right? But the content of the file is interesting. This is a .url file, which is essentially like a shortcut, hey, some icon you click just to open up a web page, and we've covered that in a previous video when we've seen oh, the 16 different file extensions that don't show their file extension, which is neat and interesting. But this basically looks like an .ini configuration file, right? There are brackets here to denote an internet shortcut with the URL property set to a value C:\Program Files\Internet Explorer\ iediagcmd.exe, which is a built-in native program and application on Windows. But it has a working directory set equal to \\, so that looks like a network address and location, right? summerartcamp.net @ssl@443/ dab wwwroot\osyxao0 blah blah blah. Ooh, neat. That is very clearly a WebDAV URL, right? Or a link or reference to some external resource. And there's some other boilerplate oh, show command icon index value set with an icon file to look like Microsoft Edge, modified numbers there, whatever. But the URL parameter in this internet shortcut points to iediagcmd.exe, a legitimate diagnostics utility for Internet Explorer. Here's the thing, that program, iediagcmd.exe, naturally runs other programs. I can fire it up real quick, let's show you. Say I'm in my Windows 11 virtual machine, and I'll always be operating out of a virtual environment, I recommend you do the same. If I were to open up the command prompt, and if I were to run iediagcmd.exe, this is not in our path by default. So, we'll need to give it the absolute path, which you saw was Program Files\Internet Explorer\iediagcmd.exe. Fingers crossed I can run this, but you might be able to see it just barely, potentially, possibly run other utilities like ipconfig, net, route, other native natural Windows utilities that normally should be ran out of the C:\Windows\System32 executable folder. But apparently, if you were to look closely at that code for iediagcmd.exe, apparently it's a .NET assembly, so you can just crack that thing open in like IL Spy, .NET Peek, dnSpy. We should do that. I think I have .NET Peek. Oh, I have an old .NET Peek, 2023.3.3. It'll still work. I mean, we should be updated to 2025, but let's crack it open. Even this, if we were to go open, navigate to that binary, yeah, iediagcmd.exe, we can open this up. If we explore, drill down into it, we could see some of the source code, but honestly, I want to be able to just see, okay, how does it start other processes? We have a clue from the article here, you could see again, it's calling ipconfig and route. Can I just like search for maybe a string for ipconfig? Yeah, here we go. Yeah, yeah, yeah. In that, they use General Utils.LaunchProcess ipconfig /all. Do the very same with route, and even just above, I think if we look a little bit closer or others, we can find all the usages of this LaunchProcess function. Right click, find usages. Looks like there are a couple in the network diagnostics, firewall configuration. Yeah, it looks like they would be using netsh just above. I don't know if you can see that with my face being in the way, netsh.exe. That one does have the full path, but the others did not. Looking for a couple others, network properties, those are the ones that we just saw previously. We could also go to the declaration to see, okay, that is, of course, using LaunchProcess from here. Go to that declaration, and that ends up using a process create routine. While we could do that all with the static analysis, we could just as easily do that with dynamic analysis using some of Sysinternals like Process Monitor. Let me get to that. I have uh Sysinternals installed at the root of my drive, so I do want Procmon, and I'll use Procmon64, and I'll run that as administrator, so we have all the privileges. And let's look for exactly this, uh iediagcmd.exe. If I were to remove these old ones, I want to be able to show you. If the process name is iediagcmd.exe, let's add that, but then let's do if the operation is like process start. Add and include that. I think that's right. I hope that's right. Let's click okay. It should be listening, and then if I were to run iediagcmd one more time, now we should be able to see, okay, iediagcmd process start. It's going to run and execute. Oh, but we need all of the things following that, so that's not quite right. Maybe we make that start process. Let's just remove the process start include at first, so we can just see everything that iediagcmd.exe will do. Let's run it one more time. Now we can see, okay, yeah, it's doing a ton of stuff, but obviously, once we get to it trying to execute a executable like ipconfig or netsh or all these others, we'll see that actual operation. I could scroll through this forever, but it might be worth just control F'ing for ipconfig. You know what? Easier way to do this, let's just filter for anything that has like process in the operation. Process contain or operation contains process. Yeah? How does that look? There we go. Okay, cool. So, pretty clear now, we can see process create. I'm sorry, I'm dumb, I should have known that. It ends up doing this with ipconfig.exe, route.exe, netsh, all these out of System32, but clearly, it does not have to be in System32. Usual order of operation search order for spawning a new process that does not have an absolute path in its invocation string, it will try to look first in the current directory, and we can see that if we were to remove that filter, so we've got everything else back where it was. But just before this process create, you can see it trying to look for ipconfig.exe in System32, but prior to that, it was trying to look in my current directory, C:\Users\johnh, where I started to type in this command to run iediagcmd.exe from my terminal. Of course, that returns a name not found because it's not there, but if there were ipconfig.exe in that folder, or even in the same folder as iediagcmd.exe, it would execute that first. Instead, kind of cool, we also saw it run makecab, makecab.exe. Looks like another opportunity for oh, executing something out of the current directory. Unsure if they end up using what would be the full path or not, but we can experiment with that, and that's usually how we get execution proxying. Normally, you think of this as oh, DLL side loading or DLL hijacking when you have stuff in another working directory, but it could work the very well same with an executable file. So, all that background out of the way, I'm sorry, I didn't mean for us to fall down that rabbit hole here. The gimmick is that in this scenario for this malware campaign and the attack infection, the working folder that was specified by this .url file, this little shortcut here, is actually putting the working directory as a remote location, an attacker-controlled WebDAV server. So, iediagcmd.exe locally on your own computer as it's ran and invoked or you click the shortcut, will then proxy execution to whatever ipconfig.exe or route.exe or netsh.exe or whatever then attacker controls. Check Point Research mentions this, iediagcmd tool run route.exe placed in the attacker's WebDAV server location instead of the legitimate one in the System32 folder. Some other artifacts in the malware later do this exact same thing, or custom shellhost.exe, or they've seen this used previously to spawn explorer.exe from its working folder, and of course, they mentioned loading DLLs is known previously, but it has not often been seen with executables like this. So, Check Point Research reported this to Microsoft and Microsoft said, "Okay, yeah, that's a vulnerability. It's CVE-2025-33053 that was put out, fixed, and patched in June's Patch Tuesday." You can see this here. Again, I'll include a link in the video description. "Internet Shortcut Files Remote Code Execution Vulnerability CVE-2025-33053 Security Vulnerability Impact Remote Code Execution Max Severity Important with the vector string metric CVSS score blah blah blah." Now, you might be scratching your head cuz I don't know the interpretation, how you parse or perceive this, but the dot URL file, the key to this really being delivered as an attack chain is fishing. Like, that's social engineering, right? So, it is not immediately remote code execution, but it's sort of kind of is because with just that trick of iediagcmd.exe calling back and using an attacker's controlled thing, like, that is still running attacker's code remotely. So, anyway, put that all in the back of your mind. I want to dig into this. I want to demo this. And then, I want to explore how this might maybe could potentially, I don't know, be explored more. But, before we do, please let me take one quick moment. I've been rambling already for a long time. Do want to give a shout out to the sponsor of today's video, Security Reviews, Compliance Audits, Vendor Questionnaires, Risk [music] Assessments. Look, if you lead Governance, Risk, and Compliance, or GRC, you know the reality. It's not just a job, it's pressure without pause. Drata exists to change [music] that. Drata is the AI-native trust management platform built for modern GRC teams. So, you don't just keep up, you lead. No more chasing evidence, drowning in spreadsheets, [music] or repeating yourself in every security questionnaire. With Drata, you automate the heavy lift. Security questionnaires? Covered. Continuous evidence collection? Done. [music] Internal and vendor risk management? Built-in. And with AI questionnaire assistance, Drata goes beyond automation. It learns from your controls, evidence, and [music] past responses, so you complete security reviews faster, with more confidence. [music] No more scavenger hunts for audit evidence, no more rinse and repeat for every vendor. Just a single, real-time source of truth. And yes, this is SafeBase, a real-time trust center that builds trust and accelerates sales. It's not separate, it's [music] by Drata. One platform, one team. Risk, compliance, and trust all working as one. Whether you're scaling fast or operating globally, Drata adapts to your [music] workflows, so you reduce risk, prove posture, and accelerate revenue. GRC doesn't have to be a reactive scramble. With Drata, it's [music] strategic, proactive, and empowered. Learn more about the unified platform transforming [music] GRC. Visit jh.live/drata. Thanks to Drata for supporting this video. Okay, we're back. Remember, we've been looking at CVE-2025-33053, this research from Check Point Research and an attack chain that they saw in the wild leveraging .URL or internet shortcut files that allow an unauthorized attacker to execute code over network. Scrolling down, getting into the FAQ, according to the CVSS metric, user interaction is required, UI:R. What interaction would the user have to do? User would have to click on a specially crafted URL to be compromised by the attacker. Granted, I think that means a .URL file or I guess maybe you could say that some other way. Acknowledgements here, of course, big shout out Alexandra Goffman and David Dreiker from Check Point Research. Of course, they are the folks all the kudos credit goes to. Now, let's try and explore and recreate this CVE-2025-33053 on our own locally inside of an old unpatched Windows rendition. Right, I'm running Windows 11 in my virtual machine. This isn't updated because this was patched, this was fixed in June 2025. But, let's open up a text editor. I'll use Sublime Text. And I want to go grab what they had seen and observed for the internet shortcut or .URL file that again would have been delivered via fishing, social engineering, some way, somehow. So, if this were defined as an internet URL shortcut, URL, of course, is actually going to refer to a local file or iediagcmd.exe naturally in the Windows path, C:\Program Files\Internet Explorer\iediagcmd. But, working directory is where, again, the bad actor, threat actor, adversary had their attacker-controlled WebDAV server. So, we need to host our own and we'll put that here in this section. Show command, icon, index, those are all like, oh, decorations, doesn't really matter, icon file, not super necessary, but let's go ahead and just put this on our desktop as a, give me all files extension there, pretty please, shortcut.url, right? Cuz this is a .URL file. Now, obviously, that's not doing anything currently. We need to point it to a WebDAV server, which means we need to have a WebDAV server. Now, just so I can look and feel like a real hacker, hee hee ha ha, let me get into my Kali Linux virtual machine. I'll hit control alt T on my keyboard to open up a terminal, F11 to zoom in, and I think I did get this going when I was exploring and experimenting with this previously. So, I have the original iediagcmd.exe and inside of this WebDAV directory, I do have calc.exe, which is just the Windows Calculator application. I want to use that as a little proof of concept, demonstrate, okay, we can execute our own code or any arbitrary executable from this WebDAV connection, right? What is my current IP address? Let me use ip a s or ip addr show. That is 192.168.111.199. And now, let me spin up a WebDAV server nice and easy from the command line with WSGI Dav. Uh, that's one of the utilities you can get within Kali Linux. That's nice and easy. Let's set the host to 0.0.0.0, so we are bounded and listening, binding to all interfaces. I think our port can be 8080. I guess that's fine. The root of this should be basically the current directory that we're in. Will it let me do that? Or like, can I move up a directory and then reference WebDAV? Let's try that. Maybe, honestly, it's smarter The location of WebDAV directories always kind of gets me a little sketched out, so let me just do WebDAV from the parent directory that I'm in. You know what I mean? We can even go above that, whatever. Let's just I want to be able to reference WebDAV in the shortcut like link, the backslash backslash that we put in our .URL file. And then, auth can be anonymous just so that's easy enough to get to and run. So, that will spin up, that will run. Now, we are serving our WebDAV instance. Can I put this side by side now? Back in our Windows virtual machine, now let's work with our WebDAV server, which is the 192.168.111.199 at If we were using SSL, that's where you saw SSL and 443 kind of denoting the ports, but we will use at 8080 because that is where we are hosting our WebDAV server. And they had that special syntax of like dav\\wwwroot, right? I want to look back at it. Yeah, /dav\\wwwroot and then a backslash for the folder that they referenced. And then, the folder should be WebDAV because that's what I named it in the current directory. But, bear in mind, we have not yet done the magic trick. Let me shut down or control C and close out of that WebDAV server. Inside of that WebDAV little directory here, we just have calc.exe, but it needs to be the name of a program that iediagcmd.exe will invoke or run naturally, like, ipconfig.exe, route.exe, makecab, and others that we saw. So, let's try this and test this with calc actually being called route.exe. Now, it should run it. Let me move out of the directory. Let's spin this all up, get our WebDAV server hosted again, and we can now, that we've saved this, try to run our shortcut. Fingers crossed, I'm praying to the demo gods I got this all right. Double-clicking, it did see You can see the connection that it made there. >> [laughter] >> And there's our calculator. So, that is CVE-2025-33053 using a .URL internet shortcut to be able to run arbitrary code from a remote location. But, I got to thinking, I got to wonder, if this is patched, as cool and as neat as this was, I like I think that was a cutesy, cool, kind of clever trick, could you not do the exact same thing with a lot of the other pointing applications or short file types, right? Like, we're used to seeing in the, oh, different file extensions that hide their file extensions. I'm alluding to, could this just as easily be done with a regular, natural Windows shortcut? Because that could be built out with its own working directory, and to be honest, you could build that. You could create a shortcut file like that with just PowerShell. Let me show you that syntax. Let me move to the desktop here, just so we can work with something and then make it visible for us. Let me create just a little variable sc or shortcut, right? And then, that will be basically a new object. This should be a COM object, so we'll use the wscript.shell data there, that object type. And then, I want to create shortcut, and oh, I guess, realistically, this is where you can kind of specify the destination, so I didn't need to move into my desktop because I'm going to write it all here in shortcut.lnk. Note that I'm using the .lnk file extension here now because this is a shortcut file like natural native oh Windows file a desktop application shortcut not an internet shortcut like a .url. Can I create that object? Cool. Let's set its target path target path to equal iediagcmd, right? So C program files Internet Explorer iediagcmd.exe. Now, let's be sure to set the working directory which you can just do backslash backslash 192168111199 our remote WebDAV server at 8080 hence the name it was forward slash dav wwwroot backslash WebDAV which we were hosting and serving our route.exe as a duplicate of calc.exe. Fingers crossed that's correct and then if we want to get super flashy we could just set oh the window style could be hidden or seven or whatever. I think that's the constant for it. Just like you saw in .url. And the thing about a shortcut is that we could change the icon, we could change like we could decorate it to be whatever we want. I guess really you did the same with the .url but let's go ahead and save this and now that should be present on our desktop. Now that has not changed the icon cuz it's still referring to iediagcmd.exe but I got to run what would be this rather than this. This is our URL shortcut. This is our LNK shortcut and you could see even in the WebDAV instance it was trying to reach makecab.netsh even other DLLs that we could probably manipulate or beat up because now we've set it as the working directory. Let me close this out and let me spin it up again just so we have a fresh start. Now let me run our LNK shortcut which should be new ground but it still works. Question was did this get patched in the June Patch Tuesday when they fixed it for .url files? Well, let's try to work with these inside of the Windows Insider Canary channel or using a virtual machine with the absolute latest Windows Windows Insider their Canary releases and I have a couple different snapshots here because I had this in June when I was playing with this 620 up to date then and I had one just now up to date in August as I'm recording this. So let me get back to June so you get to the timeline after it has been patched for .urls CVE-2025-33053 but we're still wondering could this work for .lnk files or regular Windows shortcuts? Was that patched? Let me log in. Okay, Windows Pro Insider preview. Does winver get me anything cool? Version dev OS build 27881.1000. Let's get a .url file for OG CVE-2025-33053 up and running. All right, making that a little bit bigger available for us to work with port 8080 WebDAV. Let's go save this on our desktop as the CVE-2025-33053.url. Save. Now if I put these side by side and try to run this we have our new shortcut in the Windows Insider Canary and let me show you if I look at Windows update the last update was June 20th so after Patch Tuesday so it would have fixed this. Restarting our WebDAV instance so we could see a fresh server here. Trying to double click on this iediagcmd.exe does his own thing. He's chilling. He's good. He's not worried about anything else remotely hosted by an attacker on an external WebDAV instance and kind of clicking around with this it just doesn't do it doesn't make the call to it. I think it's forcing oh the proper either working directory or putting it properly in its own execution to always use an absolute path. I haven't admittedly looked at that binary to see if they made changes there or what would have been modified because I was more curious will our .lnk regular Windows shortcut one still work after Patch Tuesday of June? And just for my own sanity like this is the correct WebDAV location. We got try and access that? Yeah, even just via explorer and you can see it trying to make the connections there. The WebDAV is working just fine just that chain in CVE is no longer present. So let's try this with the .lnk rendition. Let me open that up with Windows Terminal. I'm just going to copy and paste basically create the exact same shortcut as we had previously. Oh, this is using OneDrive so it just has a different desktop location. It would need to be OneDrive desktop. Pasting that in now that's better. Back in our home directory now we have our shortcut or .lnk rendition of it. Here's the thing spin up the WebDAV server run this that one still works. That was not patched and I was thinking crap I can't record this video anymore because is this a zero-day? Is this a new vulnerability? Is this something that should have been patched and wasn't? I know that this requires social engineering but so did the other one and it was deemed remote code execution important severity and it got a CVE. Weird scenario I was thinking is this just okay riding along the same sort of scenario that the internet shortcut one would as a bug but is this one still an attack vector? Like look at this a Windows native natural binary that you get to point to decorate with a shortcut that you could rename no file extension any icon but it will still execute something on an entirely different server. Since the original CVE-2025-33053.url rendition got a CVE and had important remote code execution severity I thought I got to submit this for like MSRC vulnerability. And this is very weird cuz like huh I wonder is Microsoft cool with this? Is this going to work? Are they going to say yes if I tried to report a security vulnerability and do they agree noting that the other one they called a vulnerability but this one is it going to be considered a vulnerability? Putting these side by side I think they're basically the same. So I went through this cool process that I've never been through before I'll be the first to admit but trying to report a bug to Microsoft. Please sign in to report a vulnerability in a Microsoft product or service. You can track the status of your report as we work with you. If you're not sure you can check out the definition of a security vulnerability everything that they really give the formal definition to and they give you all these resources to go through coordinated vulnerability disclosure so everyone is in good faith and that's why I don't want to make a video on this until after I had reported it to them depending on what they say and then we just needed to sign in and submit the papers. So I hope this is some cool education in case folks ever maybe go through this process on their own or if they just haven't seen kind of what this all looks like. When you're reporting a bug to Microsoft here's the form that they give you. You fill out the security impact. Hey what do you think is the issue here? AI derived harm denial of service elevation of privilege information disclosure RCE etc. etc. You can specify the products that this affects and it could be all the things between Edge Windows on premise a lot of the cloud capability MFA.net blah blah blah blah blah. Those are all the options for you to go explore. You can type in the version the component name component version component location and then add any more of these and they talk about cross-tenant capabilities. If it's referring to a lot of that cloud oh Azure Active Directory or Entra ID aspect. In this case no it's all local it's on the endpoint it's just weird stuff on Windows and if you wanted to enter the additional fields like CVSS score or the CWE references that you suggest then you can paste those and work with those in there. Ask is the issue public? You choose. Is the issue actively being exploited? You choose. Is this a missed fix or variant of an existing CVE or previously closed case? Now in this case yeah, kind of, right? That's what it was. And to be honest I had used for like things of the CVSS score and the common weakness enumeration basically used the old one as a reference cuz it's in essence the exact same thing. Impact remote code execution. I copied and used that. Weakness CWE-73. Yep, same exact thing. Vector string? Yep, use that. User interaction required but according to their definition of remote code execution it is still executing code hosted remotely. Hence WebDAV server. And I wondered and questioned about that but again because this one worked the way that the other one worked I just felt fine. Title template call stack attachments anything that you wanted here etc. That is the process where you just write up all the info for yourself. Now let me show you what I submitted and you can see that it was closed after I created on June 20th as you were tracking the timeline. Last modified is July. Let me move my face out of the way. I don't know how well you can see that. So now that we're just about through the end of August and it was closed and completed I think I want to talk about it. So this is my report. This is what I submitted to Microsoft. Hope it's cool to showcase. I don't see why it wouldn't be. Someone is going to scream and whine at me if I can't but this vulnerability is a derivative of CVE-2025-33053 Internet Shortcut Files Remote Code Execution Vulnerability and I included that link so they knew exactly what I'm talking about. Similar to .url files Windows shortcut files or .lnk files can specify a working directory while executing a target program or application. Some native and built-in Windows binaries will inherently run other executables or load other libraries based out of the current working directory everything we've established in this video. Namely the iediagcmd.exe program installed to this location by default given the full absolute path will spawn route.exe ipconfig.exe netsh.exe and makecab.exe by enumerating the system path but per the normal program search order, it'll look within the current working directory first. A Windows shortcut file can be configured just like the .url file was to specify a working directory as remote location like a WebDAV share. With a WebDAV location set as the working directory, ie diagcmd will invoke ipconfig or any other chosen binary that's present on that remote location. This in turn executes arbitrary code from an external and untrusted location. And again, that is just equivalent to a DLL hijacking, DLL side-loading, or other binaries and programs that do a similar thing. This technique can be leveraged for multiple native Windows binaries that start a new process with a file name based out of the current directory, and I include a couple others like work folder can do it, will invoke control, WSL if you have the Windows Subsystem for Linux installed, that will drop wslhost.exe, main.cpl will open mouse.dll, system.cpl and some like the control panel things, system properties, computer name, etc. Some of these pairings will pop up with a security warning. However, ie diagcmd didn't cause any pop-up and successfully executed the payload file. This is the exact same impact as CVE-2025-33053 that was previously patched, part of their Patch Tuesday, but with a simply different delivery mechanism of a .lnk file rather than a .url file. I include a little YouTube video we could showcase. Feel free to skip this if you don't want to bother seeing the fireworks again, but this is just what I had provided because I did want to make it clear that oh, I am testing this on the Windows 11 Insider Canary Edition. So, it's the absolute latest, up-to-date, and you can see the back and forth between the attacker and victim. I basically had created a copy-paste PowerShell script to be able to okay, generate the assembly or program.exe that is our proof of concept, put that on an external server, to some silly stupid DigitalOcean droplet that I got, serve and host this with WebDAV, and then on the victim side, you just have the shortcut file after that has been created and given some way somehow to the victim. Again, I know that is the social engineering aspect. I'm not denying that. That's clearly part of this, but it was the very same for the original vulnerability. And clicking on this, of course, will execute their arbitrary attacker code that will show you even yes, the remote location that it's in, executable path, and the current working directory denoting the WebDAV share. So, take it for what you will, right? Obviously, I gave those commands to copy and paste exactly that. These are the steps to reproduce. You could just copy and paste this to generate the proof of concept displaying executable path and current working directory within PowerShell, WebDAV share, SCP, copy over the proof of concept, serve that with WebDAV just as we have previously, create a shortcut file, and had that been given, if it is double-clicked, it will execute. Now, please let me make this abundantly clear. I am totally cool with whatever Microsoft decides. I just thought this was neat. This was interesting. Would one be accepted, the other not? Would it one go one way or another? And I have no concern. I I think okay, it's still kind of cool that I got to go through this process and hopefully share some of that with you. There was an automatic notification that hey, this has been received, they're tracking it, and later on, they say hey, we've got a case number created for this thing. Looks like it is now in the works, and it moves through the different status or like category checks of in review, trying to reproduce, and all those different segments that walk you through the process. And here is their final response. Hey John, thanks for submitting this issue to Microsoft. MSRC prioritizes vulnerabilities that are assessed as important or critical severities for immediate servicing. The other one was denoted as important, uh max severity important for remote code execution, internet shortcut files remote code execution vulnerability. But look, I'm not trying to sway one way or another. I don't make the decision. You get to, they get to. I'm curious, what do you think? After careful investigation, this case does not meet MSRC's current bar for immediate servicing. Your report as presented requires social engineering to get the victim to run a malicious .lnk file. You already have code execution at this point, therefore there is no security boundary being crossed here. That's true. Like that that's a fact. I know in the video that I showcased, yeah, we just kind of copied over oh, the .lnk file, the shortcut to be able to trigger it because yes, uh the social engineering is a necessary component there, and I'm not denying that. But at the same time, I know the other one did get this across through the door, so I'm really interested in your opinion. Is this a threat? Uh is this another opportunity? The closing of this is hey, we appreciate your partnership to help secure our customers. Let me know if you have any questions. And they change it from review and reproduce to complete, case closed, all donezo. So, I did not get a CVE for Microsoft, and I'm curious if you think there should have been one or shouldn't have been one. Either way, I guess it's totally cool. You now have that .lnk opportunity as one maybe delivery method that's fine. I do want to just update to the absolute latest, up-to-date rendition of our Windows Insider Canary channel, and just try this one last time to see if it's still cooking. Maybe this is just me being a little bit curious. Did it go through in a July Patch Tuesday or an August Patch Tuesday? So, I just want to see. Let's close down the WebDAV instance, and let's get Let me run Windows update. Validate, verify, make sure. So, I'm booting up to the latest snapshot, the up-to-date as of August, and now I can see how's it look? This is kind of I don't know, just the curiosity if it happened to get smuggled in to what would have been a Patch Tuesday in July or in August. And again, I just I'm curious. I hope that's okay. Oh, Windows Defender didn't find any threats. Good, appreciate that. Oh, there is a security update. All right, let me get that installed. Oh, it is up-to-date. Let me check for updates one more time. Okay, that is up-to-date. I think it had some of the old things on OneDrive. I don't know if those would have worked or not, but now let's get into our terminal and then just paste in everything necessary to be able to build this. I also want, after I've created yes, the shortcut here, I want to be able to build out the executable that I could run. OneDrive, desktop, and let me spit in everything to be able to make our proof of concept.exe. There it is. Okay, cool. Let me just go put that over in Cali, put that in the WebDAV folder, and that will be our new route.exe. And then I swear to goodness gracious, I'm just about done. I will stop recording and this video will end eventually. I knew I was going to be rambling, but let me try it. Just let me see, will it work? It still does. So, yeah. Wait, it's running ie diag. Is it getting our route.exe? Let me put this one away as that's hidden. It should still trigger. Yep, there it is. Proof of concept, executable path right where we put it. Up-to-date, still fine. Okay. >> [laughter] >> It just took a little bit cuz ie diag was still doing its thing way over in the hidden window that we created. What do you think? CVE-2025-33053, uh internet shortcut.url files being used for remote code execution. Yes, of course, obviously social engineering, but still the capability to make what looks like a regular native natural signed legitimate Windows binary execute arbitrary other code hosted externally by an attacker. And if that's patched, cleaned up, previously fixed in June Patch Tuesday, then we could do this just as well with an .lnk file, like a regular Windows desktop icon shortcut. That one's not a vulnerability, apparently, or at least not of the important severity that the other one was, when in my opinion, they look the same. But I it's not my decision to make. I'm curious, what do you think? Please let me know your thoughts. If you made it to the very end of this video, I'd love for you to leave a comment that says the word No, the words as plural, hack the planet.
Original Description
https://jh.live/drata || Bring Governance, Risk and Compliance into the modern age with Drata: https://jh.live/drata
https://research.checkpoint.com/2025/stealth-falcon-zero-day/
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter
ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: https://jh.live/openvpn
Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefense
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
Related Reads
📰
📰
📰
📰
How AI Scraper Bots Are Destroying Small Publisher Sites
Dev.to AI
Secure Kubernetes Dashboard with Cloudflare Zero Trust Tunnel
Dev.to · Oleksandr Kuryzhev
The Importance of a Phishing URL Detector in Modern Cybersecurity
Medium · Cybersecurity
Your AI Pentest Report Speaks a Different Language Than Your Auditor Does
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI