CVE-2025-26633

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to the patch released in March 2025.

Description A security feature bypass vulnerability exists in Microsoft Management Console (MMC). This vulnerability, also known as MSC EvilTwin (CVE-2025-26633), allows an unauthorized attacker to bypass security features locally. The vulnerability is actively exploited by multiple threat actors, including the Russian-aligned groups Water Gamayun (also known as EncryptHub and LARVA-208) and others. Attackers are leveraging this vulnerability through various methods, including social engineering via Microsoft Teams, malicious websites redirecting to compromised sites, and the use of rogue .msc files disguised as legitimate applications. Exploitation involves techniques like abusing the TaskPad snap-in, executing PowerShell commands, and utilizing custom malware such as SilentPrism, DarkWisp, and Fickle Stealer. The attacks involve the exploitation of a zero-day vulnerability and the use of signed .msi files to deliver malicious payloads. The exploitation of this vulnerability can lead to data breaches, unauthorized access, and the deployment of backdoors. Several reports indicate that this vulnerability is being used to steal data, credentials, and cryptocurrency wallets.

Recommendations Apply the latest security updates from Microsoft released in March 2025 to patch CVE-2025-26633. Restrict access to the Management Console. Monitor systems for exploitation attempts. As a temporary workaround, consider disabling or restricting the use of the mmc.exe application.