CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2025-26633

High Severity
Microsoft
SVRS
69/100
CVSSv3
7.0/10
EPSS
0.02881/1

CVE-2025-26633: Microsoft Management Console Security Feature Bypass. A local attacker can bypass security measures due to improper neutralization within the Microsoft Management Console. While the CVSS score is 7, indicating high severity, the SOCRadar Vulnerability Risk Score (SVRS) of 69 suggests significant risk elevation due to factors like active exploits being available. This vulnerability allows for unauthorized actions and privilege escalation on affected systems. With publicly available exploits and a 'In The Wild' tag, CVE-2025-26633 requires prompt attention and patching to prevent potential system compromise and data breaches. The 'CISA KEV' tag further emphasizes the criticality as it is a known exploited vulnerability. Although not at a critical level according to SVRS, it necessitates immediate monitoring and planning for remediation due to active exploit availability.

TAGS
Vendor-advisory
CISA KEV
In The Wild
Exploit Available
VECTOR STRING
CVSS:3.1
AV:L
AC:H
PR:N
UI:R
S:U
C:H
I:H
A:H
E:F
RL:O
RC:C
PUBLICATION DATE2025-04-29
LAST MODIFIED2025-03-11
Eye Icon
SOCRadar
AI Insight

Description

CVE-2025-26633 describes an improper neutralization vulnerability within Microsoft Management Console (MMC). This vulnerability allows a local, unauthorized attacker to bypass security features. The CVSS score is 7.0, indicating high severity. However, the SOCRadar Vulnerability Risk Score (SVRS) is 52, suggesting a moderate risk. Despite the moderate SVRS, tags indicate active exploits are available, the vulnerability is actively exploited by hackers and CISA has added it to its Known Exploited Vulnerabilities catalog.

Key Insights

  1. Exploit Availability and Active Exploitation: The most concerning aspect is the presence of readily available exploits and active exploitation of CVE-2025-26633 in the wild. Despite the moderate SVRS score, this elevates the immediate risk significantly.
  2. Local Attack Vector: The vulnerability requires local access, meaning an attacker needs to already have some level of access to the target system. This highlights the importance of strong internal security controls.
  3. CISA KEV Designation: The inclusion of this CVE in the CISA Known Exploited Vulnerabilities (KEV) catalog underscores its criticality. CISA designation indicates that the vulnerability poses a significant risk to federal agencies and requires immediate remediation, which should be followed by every organization.
  4. CWE-707 (Improper Neutralization): The assigned CWE (Common Weakness Enumeration) indicates that the core issue lies in the improper handling or sanitization of input within the Microsoft Management Console, allowing for the bypass of security measures.

Mitigation Strategies

  1. Apply Microsoft's Security Patch Immediately: Prioritize the deployment of the security patch released by Microsoft to address CVE-2025-26633. Given the "In the Wild" and "Exploit Available" tags, patching is paramount.
  2. Enhance Local System Security: Strengthen local user access controls and implement robust monitoring to detect unauthorized activity within the Microsoft Management Console. Restrict access to sensitive functionalities within MMC to authorized personnel only.
  3. Continuous Monitoring and Threat Hunting: Implement robust monitoring and threat hunting practices to identify and respond to potential exploitation attempts targeting CVE-2025-26633. Focus on detecting suspicious activity within the Microsoft Management Console.
  4. Review and Enforce Least Privilege: Conduct a thorough review of user privileges on systems using the Microsoft Management Console. Ensure that users are granted only the minimum level of access required to perform their duties.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2025-266332025-03-11
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

URGENT: Microsoft Patches 57 Security Flaws, Including 6 Actively Exploited Zero-Days - The Hacker News
2025-03-12
URGENT: Microsoft Patches 57 Security Flaws, Including 6 Actively Exploited Zero-Days - The Hacker News | News Content: Microsoft on Tuesday released security updates to address 57 security vulnerabilities in its software, including a whopping six zero-days that it said have been actively exploited in the wild. Of the 56 flaws, six are rated Critical, 50 are rated Important, and one is rated Low in severity. Twenty-three of the addressed vulnerabilities are remote code execution bugs and 22 relate to privilege escalation. The updates are in addition to 17 vulnerabilities Microsoft addressed in its Chromium-based Edge browser since
google.com
rss
forum
news
Microsoft Discloses ‘Extraordinary’ Number Of Actively Exploited Vulnerabilities: Researcher - CRN Magazine
2025-03-11
Microsoft Discloses ‘Extraordinary’ Number Of Actively Exploited Vulnerabilities: Researcher - CRN Magazine | News Content: The tech giant’s monthly release of security fixes addresses vulnerabilities including six flaws that are believed to be under active attack, according to Trend Micro’s Dustin Childs. Microsoft’s monthly release of security fixes addresses vulnerabilities including six flaws that are believed to be under active attack. A total of 67 CVEs (Common Vulnerabilities and Exposures) received patches as part of the release, popularly known as “Patch Tuesday.” [Related: 10 Major Ransomware Attacks And Data Breaches In 2024] “This is nearly identical to the release
google.com
rss
forum
news
SANS Stormcast Wednesday Mar 26th: XWiki Exploit; File Converter Correction; VMWare Vulnerability; Draytek Router Reboots; MMC Exploit Details;
Dr. Johannes B. Ullrich2025-03-26
SANS Stormcast Wednesday Mar 26th: XWiki Exploit; File Converter Correction; VMWare Vulnerability; Draytek Router Reboots; MMC Exploit Details; | Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. SANS Stormcast Wednesday Mar 26th: XWiki Exploit; File Converter Correction; VMWare Vulnerability; Draytek Router Reboots; MMC Exploit Details; XWiki Search Vulnerablity Exploit Attempts (CVE-2024-3721) Our honeypot detected an increase in exploit attempts for an XWiki command injection vulnerablity. The vulnerability was patched last April, but appears to be exploited more these last couple days. The vulnerability affects
sans.edu
rss
forum
news
ZDI-25-150: Microsoft Windows MSC File Insufficient UI Warning Remote Code Execution Vulnerability
2025-05-01
ZDI-25-150: Microsoft Windows MSC File Insufficient UI Warning Remote Code Execution Vulnerability | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2025-26633.
zerodayinitiative.com
rss
forum
news
The March 2025 Security Update Review
Dustin Childs2025-05-01
The March 2025 Security Update Review | We’ve reached the third Patch Tuesday of 2025, and, as expected, Microsoft and Adobe have released their latest security offerings. Take a break from your scheduled activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here: Adobe Patches for March 2025For March, Adobe released seven
zerodayinitiative.com
rss
forum
news
CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin
Aliakbar Zahravi2025-05-01
CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin | Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
trendmicro.com
rss
forum
news
A Deep Dive into Water Gamayun’s Arsenal and Infrastructure
Aliakbar Zahravi2025-05-01
A Deep Dive into Water Gamayun’s Arsenal and Infrastructure | Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
trendmicro.com
rss
forum
news

Social Media

Water Gamayun’s campaign can lead to data breaches and financial loss. Discover how this Russian threat actor exploits a #zeroday #vulnerability in Microsoft Management Console (CVE-2025-26633) and what you can do to stay safe:⬇️ https://t.co/Dmyt56AOM6 https://t.co/ASTnUNM1NK
0
0
1
Trend Micro's latest report uncovers the sophisticated "Water Gamayun" cyberespionage campaign, exploiting CVE-2025-26633. With state-sponsored actors using spear-phishing and the WaterBear backdoor, vigilance is crucial. https://t.co/TCSfsjhplM
0
0
0
Trend Research uncovers Water Gamayun’s arsenal and infrastructure. This suspected Russian threat actor exploits the CVE-2025-26633 #zeroday #vulnerability to execute malicious code and exfiltrate data from compromised systems. What you need to know: https://t.co/25Srz2IHDN https://t.co/zc5EpORueP
0
2
1
Water Gamayun’s campaign can lead to data breaches and financial loss. Discover how this Russian threat actor exploits a #zeroday #vulnerability in Microsoft Management Console (CVE-2025-26633) and what you can do to stay safe:⬇️ https://t.co/Dmyt56AOM6 https://t.co/wh2RXx0yKv
0
1
2
Trend Research uncovers Water Gamayun’s arsenal and infrastructure. This suspected Russian threat actor exploits the CVE-2025-26633 #zeroday #vulnerability to execute malicious code and exfiltrate data from compromised systems. https://t.co/hEIZZSGZ0Z
0
0
0
Water Gamayun’s campaign can lead to data breaches and financial loss. Discover how this Russian threat actor exploits a #zeroday #vulnerability in Microsoft Management Console (CVE-2025-26633) and what you can do to stay safe: ⬇️ https://t.co/Dmyt56AOM6 https://t.co/XTy543v38v
0
0
2
Trend Research uncovers Water Gamayun’s arsenal and infrastructure. This suspected Russian threat actor exploits the CVE-2025-26633 #zeroday #vulnerability to execute malicious code and exfiltrate data from compromised systems. What you need to know: ⬇️ https://t.co/25Srz2IHDN https://t.co/CjWXcYzN69
0
0
1
A Russian APT just exploited CVE-2025-26633 using a signed Windows MSC attack. Wild stuff. I broke it down + shared why penetration testing is more important than ever in today’s threat landscape. Read the blog 👇 #CyberSecurity #CVE202526633 #infosec
1
0
0
Russian hackers exploit CVE-2025-26633 (MSC EvilTwin) to deploy SilentPrism & DarkWisp malware, stealing data with persistent backdoors. Stay vigilant & patch now! #Cybersecurity #ThreatIntel 👇 https://t.co/UmxzxsL5t7
0
0
0
We uncovered Water Gamayun’s arsenal and infrastructure. This suspected Russian threat actor exploits the CVE-2025-26633 0-day #vulnerability to execute malicious code and exfiltrate data from compromised systems. Here’s what you need to know: https://t.co/rtYGSBFNn3 https://t.co/5AMDaHsOrk
0
0
1

Affected Software

Configuration 1
TypeVendorProduct
OSMicrosoftwindows_10_1507
OSMicrosoftwindows_10_1809
OSMicrosoftwindows_10_1607
OSMicrosoftwindows_10_21h2
OSMicrosoftwindows_10_22h2
OSMicrosoftwindows_11_22h2
OSMicrosoftwindows_server_2022
OSMicrosoftwindows_11_23h2
OSMicrosoftwindows_11_24h2
OSMicrosoftwindows_server_2012
OSMicrosoftwindows_server_2022_23h2
OSMicrosoftwindows_server_2016
OSMicrosoftwindows_server_2008
OSMicrosoftwindows_server_2019

References

ReferenceLink
[email protected]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633
MICROSOFT MANAGEMENT CONSOLE SECURITY FEATURE BYPASS VULNERABILITYhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633
AF854A3A-2127-422B-91AE-364DA2661108https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-detection-script
AF854A3A-2127-422B-91AE-364DA2661108https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-mitigation-script
[email protected]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633

CWE Details

CWE IDCWE NameDescription
CWE-707Improper NeutralizationThe product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence