CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2025-26633

High Severity
Microsoft
SVRS
48/100
CVSSv3
7.0/10
EPSS
0.01287/1

CVE-2025-26633 is a security vulnerability in Microsoft Management Console (MMC) that allows a local attacker to bypass security features. This improper neutralization issue makes it possible for unauthorized actions to occur, potentially compromising system security. SOCRadar has assigned this CVE an SVRS score of 48, indicating a moderate level of risk.

While the CVSS score is 7 (High), the SVRS considers real-world factors like exploit availability and threat actor interest. Since there are active exploits available, this vulnerability should be addressed promptly despite the moderate SVRS. Successful exploitation of CVE-2025-26633 could lead to unauthorized access and modification of system settings. Organizations should review Microsoft's advisory and apply the necessary patches to mitigate this critical vulnerability. This flaw poses a significant risk to systems running the affected versions of Microsoft Management Console.

TAGS
Vendor-advisory
CISA KEV
In The Wild
Exploit Available
VECTOR STRING
CVSS:3.1
AV:L
AC:H
PR:N
UI:R
S:U
C:H
I:H
A:H
E:F
RL:O
RC:C
PUBLICATION DATE2025-04-03
LAST MODIFIED2025-03-11

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2025-266332025-03-11
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

The controversial case of the threat actor EncryptHub
Pierluigi Paganini2025-04-07
The controversial case of the threat actor EncryptHub | Microsoft credited controversial actor EncryptHub, a lone actor with ties to cybercrime, for reporting two Windows flaws. Microsoft credited the likely lone actor behind the EncryptHub alias (also known as SkorikARI) for reporting two Windows security flaws, highlighting a “conflicted” figure balancing ethical cybersecurity work with cybercriminal activity. Outpost24 KrakenLabs published a detailed analysis of […] Microsoft credited controversial actor EncryptHub, a lone actor with
rdp
securityaffairs.co
rss
forum
Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws
Ajit Jasrotia2025-04-05
Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws | A likely lone wolf actor behind the EncryptHub persona was acknowledged by Microsoft for discovering and reporting two security flaws in Windows last month, painting a picture of a &#8220;conflicted&#8221; individual straddling a legitimate career in cybersecurity and pursuing cybercrime. In a new extensive analysis published by Outpost24 KrakenLabs, the Swedish security company unmasked the [&#8230;] The post Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws</a
allhackernews.com
rss
forum
news
Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp
Ajit Jasrotia2025-03-31
Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp | The threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp. The activity has been attributed to a suspected Russian hacking group called Water Gamayun, which is also known as EncryptHub and LARVA-208. &#8220;The threat actor deploys payloads primarily [&#8230;] The post Russian Hackers Exploit CVE-2025-26633 via MSC
allhackernews.com
rss
forum
news
Water Gamayun Hackers Exploit MSC EvilTwin Zero-day Vulnerability to Hack Windows Machine
Aman Mishra2025-03-31
Water Gamayun Hackers Exploit MSC EvilTwin Zero-day Vulnerability to Hack Windows Machine | Water Gamayun, a suspected Russian threat actor, has been identified exploiting the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise Windows systems. This vulnerability, embedded in the Microsoft Management Console (MSC) framework, allows attackers to execute malicious code remotely, exfiltrate sensitive data, and maintain persistent control over infected machines. The exploit leverages custom payloads and advanced [&#8230;] The post Water Gamayun Hackers Exploit MSC EvilTwin Zero-day Vulnerability to
gbhackers.com
rss
forum
news
Security Affairs newsletter Round 517 by Pierluigi Paganini – INTERNATIONAL EDITION
Pierluigi Paganini2025-03-30
Security Affairs newsletter Round 517 by Pierluigi Paganini – INTERNATIONAL EDITION | A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. FBI and DOJ seize $8.2 Million in romance baiting crypto fraud scheme Experts warn of the new sophisticate [&#8230;] A new round of the weekly SecurityAffairs newsletter arrived
securityaffairs.co
rss
forum
news
A Deep Dive into Water Gamayun’s Arsenal and Infrastructure
Aliakbar Zahravi2025-03-28
A Deep Dive into Water Gamayun’s Arsenal and Infrastructure | Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
trendmicro.com
rss
forum
news
The Good, the Bad and the Ugly in Cybersecurity – Week 13
SentinelOne2025-03-28
The Good, the Bad and the Ugly in Cybersecurity – Week 13 | Interpol disrupts cybercrime ring in Africa, new credential stuffing service targets 140 sites, and EncryptHub exploits Windows MMC zero-day.The Good | Interpol Cracks Down on 300 Cybercriminals Linked to African Cyber Scam Operations 306 suspects have been arrested in Operation Red Card, an international crackdown conducted between November 2024 and February 2025 on cybercrime networks operating across borders. The joint operation between <span
sentinelone.com
rss
forum
news

Social Media

Water Gamayun’s campaign can lead to data breaches and financial loss. Discover how this Russian threat actor exploits a #zeroday #vulnerability in Microsoft Management Console (CVE-2025-26633) and what you can do to stay safe: ⬇️ https://t.co/Dmyt56AOM6 https://t.co/gWxTcXK9m1
0
0
0
Campaña de Water Gamayun explotando CVE-2025-26633: Análisis técnico de MSC EvilTwin https://t.co/RdAjzlo2cI
0
0
0
Trend Zero Day Initiative™ (ZDI) reveals Russian threat actor Water Gamayun exploiting a #zeroday #vulnerability (CVE-2025-26633) in Microsoft Management Console. This exploit (MSC EvilTwin) can execute malicious code and exfiltrate data. Read more: https://t.co/Dmyt56AOM6 https://t.co/vBRTF5zWVW
0
1
1
Trend Research uncovers Water Gamayun’s arsenal and infrastructure. This suspected Russian threat actor exploits the CVE-2025-26633 #zeroday #vulnerability to execute malicious code and exfiltrate data from compromised systems. Learn more here: ⬇️ https://t.co/25Srz2IHDN
0
0
0
👀 Microsoft Credits EncryptHub — the Hacker Behind 618+ Breaches — for Disclosing Windows Flaws. 👀 In March 2025, EncryptHub reported 2 critical bugs (CVE-2025-24061 &amp; CVE-2025-24071). Weeks later, he exploited a zero-day (CVE-2025-26633), hitting hundreds of targets using https://t.co/TxEKVvtD4E
0
3
8
👀 Microsoft Credits EncryptHub — the Hacker Behind 618+ Breaches — for Disclosing Windows Flaws. 👀 In March 2025, EncryptHub reported 2 critical bugs (CVE-2025-24061 &amp; CVE-2025-24071). Weeks later, he exploited a zero-day (CVE-2025-26633), hitting ... https://t.co/i78lYocaQx
0
0
0
🚨 A Russian group, Water Gamayun, is abusing a Windows zero-day (CVE-2025-26633) to drop two chilling backdoors: SilentPrism &amp; DarkWisp. They’re hiding in plain sight using signed .msi files posing as legit apps like DingTalk &amp; VooV to hijack systems. 👀 Targets? Your data, https://t.co/HMb2Zc76Mi
0
0
0
2️⃣ Russian Hackers Exploit Microsoft Zero-Day CVE-2025-26633 For Code Execution Threat level: Medium 🟧 Water Gamayun (aka: Larva-208, EncryptHub ), a Russian threat actor, orchestrated a sophisticated attack campaign exploiting a zero-day vulnerability, CVE-2025-26633.
1
0
0
🚨 Critical Alert: Cybersecurity experts have identified a new threat! Russian hackers, known as Water Gamayun, are exploiting the recently patched CVE-2025-26633 vulnerability in Microsoft Windows to deploy backdoors like SilentPrism and DarkWisp.
1
0
0
This attack could lead to severe data breaches and unauthorized access. Action Required: Organizations must apply the patch for CVE-2025-26633 immediately to protect their systems!
1
0
0

Affected Software

Configuration 1
TypeVendorProduct
OSMicrosoftwindows_10_1507
OSMicrosoftwindows_10_1809
OSMicrosoftwindows_10_1607
OSMicrosoftwindows_10_21h2
OSMicrosoftwindows_10_22h2
OSMicrosoftwindows_server_2022
OSMicrosoftwindows_11_24h2
OSMicrosoftwindows_11_22h2
OSMicrosoftwindows_11_23h2
OSMicrosoftwindows_server_2012
OSMicrosoftwindows_server_2022_23h2
OSMicrosoftwindows_server_2008
OSMicrosoftwindows_server_2016
OSMicrosoftwindows_server_2019

References

ReferenceLink
[email protected]https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633
MICROSOFT MANAGEMENT CONSOLE SECURITY FEATURE BYPASS VULNERABILITYhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633

CWE Details

CWE IDCWE NameDescription
CWE-707Improper NeutralizationThe product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence