Microsoft
CVE-2025-26633
HIGH
Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.
AnalysisAI
A security feature bypass in Microsoft Management Console (MMC) allows attackers to evade security warnings and execute malicious code locally. KEV-listed and tracked as CVE-2025-26633, this vulnerability has been actively exploited by the Water Gamayun threat group (also tracked as EncryptHub) using crafted .msc files to deploy info-stealing malware. Public PoC is available and EPSS is 7.1%.
Technical ContextAI
MMC is a built-in Windows framework for managing system snap-ins (.msc files). The vulnerability allows attackers to craft malicious .msc files that bypass the trust validation and warning mechanisms normally preventing execution of untrusted snap-ins. This is particularly effective because .msc files are commonly used by administrators and are often trusted by security tools. The Water Gamayun/EncryptHub group has been observed chaining this with social engineering.
Affected ProductsAI
Microsoft Windows 10 (all versions) Microsoft Windows 11 Microsoft Windows Server 2016/2019/2022
RemediationAI
Apply Microsoft security update immediately. Block .msc file attachments at email gateways. Educate users about risks of opening .msc files from untrusted sources. Monitor for suspicious MMC execution patterns. Consider ASR (Attack Surface Reduction) rules to restrict .msc execution.
Same weakness CWE-707 – Improper Neutralization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today