CISA, Microsoft warn of Windows zero-day used in attack on ‘major’ Turkish defense org

Microsoft released a fix for a Windows zero-day vulnerability that has been used in attacks by a hacking group known for targeting governments in Africa and the Middle East. 

The bug was discovered by researchers from cybersecurity firm Check Point, which published a blog Tuesday explaining that they first found it while investigating an attempted cyberattack in March on a “a major defense organization in Turkey.”

Microsoft tagged the vulnerability as CVE-2025-33053 and released the fix for it as part of its larger Patch Tuesday update for June.

The vulnerability affects a Windows tool called Web Distributed Authoring and Versioning, also known as WebDAV. Experts said WebDAV is an extension of HTTP that allows users to manage and edit files on a remote server, which in the Windows operating system exists in Internet Explorer and Edge browser. 

WebDAV is effectively an HTTP extension that lets users remotely manage files and directories on a server. It's often used in document management systems, collaboration platforms and legacy file-sharing tools.

The vulnerability was added to a federal catalog of exploited bugs run by the Cybersecurity and Infrastructure Security Agency, and carries a high severity score 8.8 out of 10.

Microsoft said a “user would have to click on a specially crafted URL to be compromised by the attacker.” Check Point explained that the operation it discovered began with a .url file that was disguised as a PDF document related to military equipment damage. 

The file was likely delivered through a phishing email and allowed the hackers to “silently run code from a remote server controlled by the attackers.”

Stealth Falcon

In the campaign exploiting CVE-2025-33053, Check Point said the attacker used custom-made tools it called Horus Agent and Horus Loader that allowed for espionage efforts and avoidance of security tools.  

Check Point attributed the attack to a group known as Stealth Falcon — a hacking group with longstanding ties to the UAE that has been implicated in dozens of spyware cases and hacking incidents involving governments across the Middle East and Africa. 

The company published its own blog posts about Stealth Falcon, writing that it has used spearphishing emails against high-profile targets in the government and defense sectors in Turkey, Qatar, Egypt and Yemen.

Check Point noted that over the years, Stealth Falcon has been seen “acquiring zero-day exploits and using sophisticated custom-built payloads to target entities across the Middle East in their cyber espionage operations.”

Check Point told Recorded Future News that, “in the past some industry players affiliated them with operations in the UAE. However, we don’t do such affiliations in specific.” 

“Today, Stealth Falcon is known for its use of zero-day exploits, custom malware, and delivery mechanisms, all hallmarks of a well-resourced APT,” Check Point wrote in its blog.

“Stealth Falcon continues to evolve, combining zero-day exploitation CVE-2025-33053 and legitimate tools, multi-stage loaders, and custom-built implants in a resilient campaign.”