CVE-2025-26633

Published Mar 11, 2025

Last updated 2 days ago

Exploit knownCVSS high 7.0
Microsoft
MMC

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-26633 is a security feature bypass vulnerability in the Microsoft Management Console (MMC). It stems from improper neutralization within the MMC, allowing an unauthorized attacker to bypass security restrictions locally. The vulnerability is being actively exploited in the wild by a threat actor known as Water Gamayun (also known as EncryptHub and Larva-208) in a campaign called "MSC EvilTwin". This technique involves the execution of malicious .msc files through a legitimate one by manipulating the Multilingual User Interface Path (MUIPath) to load and execute a malicious file instead of the original one.

Description
Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.
Source
secure@microsoft.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Secondary
Base score
7
Impact score
5.9
Exploitability score
1
Vector string
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability
Exploit added on
Mar 11, 2025
Exploit action due
Apr 1, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

secure@microsoft.com
CWE-707
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

1

  1. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    18 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    17 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    15 Apr 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. Trend Research uncovers Water Gamayun’s arsenal and infrastructure. This suspected Russian threat actor exploits the CVE-2025-26633 #zeroday #vulnerability to execute malicious code and exfiltrate data from compromised systems. https://t.co/hEIZZSGZ0Z

    @TrendMicro

    15 Apr 2025

    369 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    14 Apr 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    13 Apr 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    12 Apr 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. A Russian APT just exploited CVE-2025-26633 using a signed Windows MSC attack. Wild stuff. I broke it down + shared why penetration testing is more important than ever in today’s threat landscape. Read the blog 👇 #CyberSecurity #CVE202526633 #infosec

    @FennefLabs

    12 Apr 2025

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    12 Apr 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. Russian hackers exploit CVE-2025-26633 (MSC EvilTwin) to deploy SilentPrism & DarkWisp malware, stealing data with persistent backdoors. Stay vigilant & patch now! #Cybersecurity #ThreatIntel 👇 https://t.co/UmxzxsL5t7

    @_F2po_

    12 Apr 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    11 Apr 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. We uncovered Water Gamayun’s arsenal and infrastructure. This suspected Russian threat actor exploits the CVE-2025-26633 0-day #vulnerability to execute malicious code and exfiltrate data from compromised systems. Here’s what you need to know: https://t.co/rtYGSBFNn3 https://t.c

    @TrendMicro

    11 Apr 2025

    436 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  13. Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp The activity has been attributed to a suspected Russian hacking group called Water Gamayun, which is also known as EncryptHub and LARVA-208. #malware Read More: https://t.co/KS8DG3BWEQ http

    @pinakinit1

    11 Apr 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    11 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  15. Water Gamayun’s campaign can lead to data breaches and financial loss. Discover how this Russian threat actor exploits a #zeroday #vulnerability in Microsoft Management Console (CVE-2025-26633) and what you can do to stay safe: ⬇️ https://t.co/Dmyt56AOM6

    @TrendMicroRSRCH

    11 Apr 2025

    353 Impressions

    0 Retweets

    7 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  16. Trend Research uncovers Water Gamayun’s arsenal and infrastructure. This suspected Russian threat actor exploits the CVE-2025-26633 #zeroday #vulnerability to execute malicious code and exfiltrate data from compromised systems. Learn more here: ⬇️ https://t.co/25Srz2IHDN https:/

    @TrendMicroRSRCH

    10 Apr 2025

    431 Impressions

    3 Retweets

    9 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    10 Apr 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  18. Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp The threat actors behin 𝗗𝗼𝗻'𝘁 𝗺𝗶𝘀𝘀 𝗼𝘂𝘁 𝗼𝗻 𝗼𝘂𝗿 𝘁𝘄𝗲𝗲𝘁𝘀. 𝗙𝗼𝗹𝗹𝗼𝘄 𝘁𝗼𝗱𝗮𝘆! @thehackersnews @edgeitech @edgetechnologysolutions @technology https://t.co/XBtpeTlpLi

    @Edgeitech

    10 Apr 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. Trend Zero Day Initiative™ (ZDI) reveals Russian threat actor Water Gamayun exploiting a #zeroday #vulnerability (CVE-2025-26633) in Microsoft Management Console. This exploit (MSC EvilTwin) can execute malicious code and exfiltrate data. Read more: ⬇️https://t.co/Dmyt56AOM6 h

    @TrendMicroRSRCH

    10 Apr 2025

    93 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  20. Russian Threat Actors Exploit CVE-2025-26633 in Linux Kernel 🇷🇺 https://t.co/9mv2YUFqYm APT28 is exploiting a Linux kernel flaw (CVE-2025-26633) to escalate privileges and deploy remote access tools in targeted attacks. Patch Linux systems immediately and restrict local use

    @Huntio

    8 Apr 2025

    2409 Impressions

    27 Retweets

    51 Likes

    16 Bookmarks

    1 Reply

    0 Quotes

  21. この内 CVE-2025-24983、CVE-2025-24984、CVE-2025-24985、CVE-2025-24991、CVE-2025-24993、CVE-2025-26633 の脆弱性について、Microsoft 社では悪用の事実を確認済みと公表しており、今後被害が拡大するおそれがあるため、至急、更新プログラムを適用してください。

    @quickshield_jp

    7 Apr 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    6 Apr 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  23. Trend Zero Day Initiative™ (ZDI) reveals Russian threat actor Water Gamayun exploiting a #zeroday #vulnerability (CVE-2025-26633) in Microsoft Management Console. This exploit (MSC EvilTwin) can execute malicious code and exfiltrate data. Read more: https://t.co/Dmyt56AOM6 htt

    @TrendMicroRSRCH

    6 Apr 2025

    507 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    6 Apr 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  25. 👀 Microsoft Credits EncryptHub — the Hacker Behind 618+ Breaches — for Disclosing Windows Flaws. 👀 In March 2025, EncryptHub reported 2 critical bugs (CVE-2025-24061 & CVE-2025-24071). Weeks later, he exploited a zero-day (CVE-2025-26633), hitting hundreds of targets usin

    @TheHackersNews

    5 Apr 2025

    13527 Impressions

    35 Retweets

    80 Likes

    15 Bookmarks

    1 Reply

    0 Quotes

  26. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    5 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  27. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    4 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  28. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    4 Apr 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  29. 🚨 A Russian group, Water Gamayun, is abusing a Windows zero-day (CVE-2025-26633) to drop two chilling backdoors: SilentPrism & DarkWisp. They’re hiding in plain sight using signed .msi files posing as legit apps like DingTalk & VooV to hijack systems. 👀 Targets? Your

    @achi_tech

    3 Apr 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    3 Apr 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  31. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    2 Apr 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  32. [1day1line] CVE-2025-26633: RCE Vulnerability via MUIPath Path in Microsoft Management Console (MMC) The vulnerability was caused by running a .msc file with the same name as the original .msc file in the MUIPath folder without integrity verification. https://t.co/IzlmeaxxrT

    @hackyboiz

    2 Apr 2025

    226 Impressions

    1 Retweet

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. New Russian Cyberattack Alert Hackers exploit CVE-2025-26633 with MSC EvilTwin, deploying SilentPrism & DarkWisp backdoors. They’re stealing credentials & evading detection. Stay secure! 🔐🔥 https://t.co/5W7Evzwxnk #CyberSecurity #APT #ThreatIntel https://t.co/4nK7

    @dCypherIO

    2 Apr 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. If you're a windows user, make sure you've updated. CVE-2025-26633, described by Microsoft as an improper neutralization vulnerability in Microsoft Management Console (MMC) that could allow an attacker to bypass a security feature locally. https://t.co/R3nL6FwhIJ

    @StealthXploit

    1 Apr 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  35. Russian Hackers Exploit #CVE-2025-26633 via #MSC EvilTwin to Deploy SilentPrism and #DarkWisp https://t.co/ZsAS0LyfiB

    @ScyScan

    1 Apr 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    1 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  37. Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp https://t.co/VrzBpbZOto via @TheHackersNews

    @YouAllWant2know

    1 Apr 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp https://t.co/2o4qDe7hof https://t.co/RaE8zJy48o

    @RigneySec

    1 Apr 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp Read More-https://t.co/NYzfFIwYH4 #Hackers https://t.co/cGOrs3e4R5

    @techpio_team

    1 Apr 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. 2025年に発見されたWindowsのゼロデイ脆弱性(CVE-2025-26633)を悪用し、ロシア系とされる攻撃グループ「Water Gamayun」(別名EncryptHubやLARVA-208)が、新たに「SilentPrism」と「DarkWisp」という2種類のバックドアを配布していることが判明した。

    @yousukezan

    1 Apr 2025

    22 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. 米国サイバーセキュリティ・社会基盤安全保障庁(CISA)の既知の悪用された脆弱性カタログで、WindowsのMicrosoft Management Console (MMC)における脆弱性CVE-2025-26633のランサムウェアによる悪用が確認済みに更新。 https://t.co/UOQ6WIgwr5

    @__kokumoto

    31 Mar 2025

    829 Impressions

    0 Retweets

    6 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  42. ロシアのハッカー集団がCVE-2025-26633を悪用し、バックドア「SilentPrism」と「DarkWisp」を展開。 「MSC EvilTwin」手法でMMCの脆弱性を突き、情報窃取や持続的攻撃を実行。 https://t.co/CePOgrnwCL

    @01ra66it

    31 Mar 2025

    1388 Impressions

    2 Retweets

    18 Likes

    10 Bookmarks

    0 Replies

    0 Quotes

  43. 🚨 Water Gamayun hackers exploit Windows vulnerability CVE-2025-26633 to deploy SilentPrism and DarkWisp. Malicious packages enable stealthy data theft and remote control. Stay vigilant! 🇷🇺 #RussianHackers #DataExfiltration link: https://t.co/hNjGYEJ39l https://t.co/AJTa5Yo3mB

    @TweetThreatNews

    31 Mar 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. 🚨 Water Gamayun exploiting Windows 0-day (CVE-2025-26633)! 🚨 ⚠️ Dropping SilentPrism & DarkWisp via fake signed apps (DingTalk, VooV). 🎯 Stealing: Data, credentials, crypto wallets. 🛠 TTPs: LOTL, PowerShell implants, fake WinRAR sites. Stay alert! #APT #ThreatIntel https

    @krishna75800113

    31 Mar 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. A Russian threat group, identified as Water Gamayun, is actively exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework, tracked as CVE-2025-26633 (aka MSC EvilTwin), to deploy two potent backdoors: SilentPrism and DarkWisp. This campaign https://

    @cytexsmb

    31 Mar 2025

    184 Impressions

    1 Retweet

    3 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  46. Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp https://t.co/qWaEwMtc2v https://t.co/scxK4qMNuM

    @talentxfactor

    31 Mar 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp https://t.co/0KF0b6eKJU https://t.co/FdmRgcO78J

    @TonyBeeTweets

    31 Mar 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. 📍Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp https://t.co/yAOYglHhdL

    @cyberetweet

    31 Mar 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. The Hacker News - Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp https://t.co/3AbQ7XqzwX

    @buzz_sec

    31 Mar 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp #CyberSecurity #CyberAttack #Russia https://t.co/PClMDQ8dnh

    @POC__S_

    31 Mar 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations

References