A critical zero-day vulnerability has been discovered in the Windows WebDAV client, and it is being actively exploited by threat actors to deliver various types of malware. This unpatched flaw represents a significant risk to users running vulnerable versions of Windows.
The exploit typically occurs when a user opens a specially crafted file or clicks a malicious link. This action can trick the WebDAV client into connecting to an attacker-controlled server, triggering the vulnerability and allowing for the execution of arbitrary code or the download and installation of malware. Crucially, this attack method often bypasses standard security warnings, including Protected View in some applications, making it particularly dangerous.
Affected systems primarily include recent versions of the Windows operating system, such as Windows 10, Windows 11, and corresponding server editions. Due to its status as a zero-day, there is currently no official patch available from Microsoft to fix this specific issue. This leaves users exposed to potential compromise if they do not take proactive steps.
Given the active exploitation and the absence of a patch, it is imperative for users and administrators to implement immediate mitigation strategies. One highly recommended step is to disable the WebClient service on Windows systems, as this service is integral to the WebDAV client functionality being exploited. Another effective mitigation is to block outbound connections over TCP port 445 (or potentially 80/443 if used for WebDAV) at the firewall level, although this might impact legitimate WebDAV usage if required. Users should also exercise extreme caution with suspicious files received via email or downloaded from untrusted sources and avoid clicking on unsolicited links. Implementing these protective measures is vital to safeguarding systems against this actively exploited zero-day vulnerability.
Source: https://www.bleepingcomputer.com/news/security/stealth-falcon-hackers-exploited-windows-webdav-zero-day-to-drop-malware/
