Microsoft Patches Windows Internet Shortcut RCE Exploited via Malicious URL Files
Microsoft disclosed CVE-2025-33053, an Important remote code execution flaw in Internet Shortcut Files that affects all supported versions of Windows and carries a CVSS 8.8 rating. The vulnerability is tied to CWE-73 (external control of file name or path) and can let an unauthenticated attacker execute code over a network if a user clicks a specially crafted URL. Microsoft said the bug had been exploited in the wild, that functional exploit code was available, and that security updates had been released.
The advisory said the issue has implications beyond legacy browser use because underlying MSHTML, EdgeHTML, and scripting components remain supported on some platforms and are still used by Internet Explorer mode, the WebBrowser control, WebView, and some UWP applications. Microsoft also noted that IE cumulative updates still matter for certain older Windows Server systems, and later revised the advisory to correct the CVE title and description without changing the technical impact. Related Microsoft advisories show the flaw joins a broader pattern of remote code execution risks across Windows and server products, including MSHTML, Hyper-V, Exchange Server, and SharePoint Server.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft issues informational update to CVE-2025-33053 advisory
Microsoft updated the CVE-2025-33053 advisory to correct the CVE title and description. The company noted the June 19 change was informational only.
Microsoft discloses and patches CVE-2025-33053
Microsoft published advisory CVE-2025-33053 for an Internet Shortcut Files remote code execution vulnerability affecting supported Windows versions. The company said the flaw was being exploited in the wild, functional exploit code was available, and an official fix was released.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CVE-2025-33053 - Security Update Guide - Microsoft - Internet Shortcut Files Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-49117 - Security Update Guide - Microsoft - Windows Hyper-V Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2023-36436 - Security Update Guide - Microsoft - Windows MSHTML Platform Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2021-34468 - Security Update Guide - Microsoft - Microsoft SharePoint Server Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2021-28483 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Fixes 41 Internet Explorer Flaws Including Exploited RCE Bug
Microsoft released security update **3034682** to address **41 vulnerabilities** in Internet Explorer **6 through 11**, including multiple flaws that could allow **remote code execution** if a user visited a specially crafted webpage. The most severe issues could let an attacker run code with the same privileges as the current user, making the risk highest on systems where users have administrative rights. Microsoft rated the bulletin **Critical** for affected Windows client systems and **Moderate** for affected Windows server systems. The bulletin said one flaw, **CVE-2015-0071**, had been exploited in the wild, while **CVE-2014-8967** had been publicly disclosed before the patch was issued. Microsoft said the update corrects memory corruption and permission-validation issues, improves **ASLR** behavior, and strengthens cross-domain policy enforcement. It also noted that systems running Internet Explorer **9, 10, and 11** require updates **3021952** and **3034196** for full protection, with **3023607** and, on some platforms, **3036197** also potentially installed automatically.
May 27, 2026
Microsoft Discloses Windows RCE Flaws in Scripting Languages and URL Parsing
Microsoft published Security Update Guide entries for two Windows remote code execution vulnerabilities affecting different core components: **CVE-2022-41118** in **Windows Scripting Languages** and **CVE-2025-59295** in **Windows URL Parsing**. Both advisories classify the issues as remote code execution flaws, indicating that successful exploitation could allow an attacker to run arbitrary code on a targeted Windows system. The disclosures point to risk across widely used Windows functionality rather than a single application, underscoring the need for defenders to review affected product versions and apply Microsoft-issued updates through normal patch management channels. The vulnerabilities are tracked under the identifiers `CVE-2022-41118` and `CVE-2025-59295`, with Microsoft maintaining the authoritative remediation details in its Security Update Guide.
May 25, 2026
Microsoft Patches Repeated Windows Mark-of-the-Web and SmartScreen Bypass Flaws
Microsoft has disclosed a sustained series of **security feature bypass** vulnerabilities across Windows and related components, with multiple advisories tied to **Mark of the Web (MotW)**, **SmartScreen**, **MapUrlToZone**, Windows shortcut handling, and security zone mapping. The most detailed recent case, `CVE-2026-32225`, affects **Windows Shell** and allows attackers to bypass SmartScreen protections that rely on MotW by persuading a user to open a specially crafted `.lnk` file. Microsoft said successful exploitation could cause Windows to launch commands or Control Panel applets without proper MotW handling, potentially enabling arbitrary command execution or the loading of attacker-controlled DLLs; the flaw was rated **Important**, assigned a **CVSS 8.8**, marked as **more likely to be exploited**, and fixed at disclosure. The newer Windows Shell issue follows a broader pattern of Microsoft fixes for related bypasses, including `CVE-2022-44698` in **Windows SmartScreen**; `CVE-2023-36564` in **Windows Search**; `CVE-2023-36584`, `CVE-2024-38217`, and `CVE-2024-43487` in **Windows Mark of the Web**; `CVE-2024-30073` in **Windows Security Zone Mapping**; `CVE-2025-21328`, `CVE-2025-21329`, and `CVE-2025-21332` in **MapUrlToZone**; and `CVE-2025-47160` in **Windows Shortcut Files**. Additional bypass advisories affected Microsoft products including **Publisher**, **Office Developer Platform**, **PowerShell**, **Kerberos**, **Windows Hello**, **Surface**, and **PC Manager**, underscoring Microsoft's continued effort to close gaps in trust labeling and execution safeguards that attackers can abuse to reduce warnings and increase the success of social-engineering attacks.
May 25, 2026