CVE-2025-26633
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.
Analysis
A security feature bypass in Microsoft Management Console (MMC) allows attackers to evade security warnings and execute malicious code locally. KEV-listed and tracked as CVE-2025-26633, this vulnerability has been actively exploited by the Water Gamayun threat group (also tracked as EncryptHub) using crafted .msc files to deploy info-stealing malware. Public PoC is available and EPSS is 7.1%.
Technical Context
MMC is a built-in Windows framework for managing system snap-ins (.msc files). The vulnerability allows attackers to craft malicious .msc files that bypass the trust validation and warning mechanisms normally preventing execution of untrusted snap-ins. This is particularly effective because .msc files are commonly used by administrators and are often trusted by security tools. The Water Gamayun/EncryptHub group has been observed chaining this with social engineering.
Affected Products
['Microsoft Windows 10 (all versions)', 'Microsoft Windows 11', 'Microsoft Windows Server 2016/2019/2022']
Remediation
Apply Microsoft security update immediately. Block .msc file attachments at email gateways. Educate users about risks of opening .msc files from untrusted sources. Monitor for suspicious MMC execution patterns. Consider ASR (Attack Surface Reduction) rules to restrict .msc execution.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today