CVE-2025-26633 - Overview, Insights & Trends

CVE-2025-26633

Published Mar 11, 2025

Last updated 17 days ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-26633 is a security feature bypass vulnerability in the Microsoft Management Console (MMC). It stems from improper neutralization within the MMC, allowing an unauthorized attacker to bypass security restrictions locally. The vulnerability is being actively exploited in the wild by a threat actor known as Water Gamayun (also known as EncryptHub and Larva-208) in a campaign called "MSC EvilTwin". This technique involves the execution of malicious .msc files through a legitimate one by manipulating the Multilingual User Interface Path (MUIPath) to load and execute a malicious file instead of the original one.

Description
Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.
Source
secure@microsoft.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
7
Impact score
5.9
Exploitability score
1
Vector string
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability
Exploit added on
Mar 11, 2025
Exploit action due
Apr 1, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

secure@microsoft.com
CWE-707

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

6

  1. Trend Research reveals that Water Gamayun exploits a zero-day vulnerability in Microsoft Management Console (CVE-2025-26633) to deliver custom payloads and execute malicious code on infected machines. #CyberSecurity #ThreatIntel https://t.co/Ul5gr0HW3j

    @Cyber_O51NT

    29 Mar 2025

    219 Impressions

    0 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    29 Mar 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. 🚨 Inside the Water Gamayun Arsenal: We’ve just released a comprehensive analysis of the tools and #backdoors used by #WaterGamayun (aka #Encrypthub). 🔍 Dive into the full report: https://t.co/BXi4UolP53 #CVE-2025-26633 #ThreatResearch #APT #malware https://t.co/jtl1O1SPsG

    @AliakbarZahravi

    28 Mar 2025

    1791 Impressions

    8 Retweets

    36 Likes

    11 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 Water Gamayun exploits CVE-2025-26633 in Microsoft Management Console for malware deployment. Custom payloads and backdoors SilentPrism & DarkWisp pose severe risks to organizations. #Russia #malware #datatheft link: https://t.co/2S5xfFwxGA https://t.co/rakD9Sl30p

    @TweetThreatNews

    28 Mar 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 1/6 Water Gamayun, a suspected Russian threat actor, is exploiting the CVE-2025-26633 vulnerability to execute malicious code and steal data. This #zeroday #vulnerability poses significant risks to businesses. Here's what you need to know: https://t.co/Dmyt56AOM6 https://t.co

    @TrendMicroRSRCH

    28 Mar 2025

    319 Impressions

    1 Retweet

    3 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. 🚀🔒 @TrendMicro : 𝙲𝚅𝙴-2025-26633 𝚆𝚊𝚝𝚎𝚛 𝙶𝚊𝚖𝚊𝚢𝚞𝚗 #cyber_security_highlights 💡 𝙾𝚟𝚎𝚛𝚟𝚒𝚎𝚠: @TrendMicro latest research uncovers a critical vulnerability—CVE-2025-26633, codenamed “Water Gamayun.” This emerging flaw poses a significant risk to vulnerable ht

    @MahRabie

    28 Mar 2025

    10 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    28 Mar 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. The threat actor known as EncryptHub exploited a recently-patched security vulnerability in Microsoft Windows as a zero-day CVE-2025-26633 (CVSS score: 7.0) to deliver a wide range of malware families, including backdoors and information stealers https://t.co/ZsYEH7Hsms https://t

    @riskigy

    28 Mar 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data. https://t.co/UXyM8XCFQj https://t.

    @virusbtn

    27 Mar 2025

    1172 Impressions

    8 Retweets

    17 Likes

    6 Bookmarks

    0 Replies

    1 Quote

  10. 🟠Trend Research descubrió una campaña de Water Gamayun que explota una #vulnerabilidad de día cero en el marco de Microsoft Management Console para malware, llamado MSC EvilTwin (CVE-2025-26633). #QintegraNews #ciberseguridad @TrendMicro https://t.co/FKKaDBvaz3

    @QintegraC

    27 Mar 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🚨 Threat Alert: Russian Ransomware Exploits Windows Zero-Day 📅 Date: 2025-03-26 📆 Timeline: Active exploitation since before March 2025, following the announcement of CVE-2025-26633. 📌 Attribution: EncryptHub (affiliate of RansomHub, also known as Water Gamayun, Larva-208)

    @syedaquib77

    27 Mar 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. EncryptHubがMMCのゼロデイ脆弱性(CVE-2025-26633)を悪用し、RhadamanthysやStealCマルウェアを展開。 Microsoftは3月のパッチチューズデーで修正済み。 https://t.co/S6o91ZM4Vb

    @01ra66it

    27 Mar 2025

    115 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. ロシアのEncryptHubが、Windows MMCのゼロデイ脆弱性(CVE-2025-26633)を悪用し、リモートコード実行とデータ窃取を実施。 Microsoftは3月のパッチチューズデーで修正済み。 https://t.co/K7owfXnnAq

    @01ra66it

    27 Mar 2025

    167 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Alert: EncryptHub exploits Windows zero-day (CVE-2025-26633) to deploy Rhadamanthys and StealC malware. Update systems and stay vigilant. #CyberSecurity #WindowsZeroDay #EncryptHub https://t.co/vmchu7ImgX https://t.co/Md4YOkCou1

    @dailytechonx

    26 Mar 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Russian Ransomware Gang Exploited Windows Zero-Day Before Patch - (CVE-2025-26633) https://t.co/2orXPnfVrN

    @SecurityWeek

    26 Mar 2025

    1849 Impressions

    8 Retweets

    5 Likes

    1 Bookmark

    2 Replies

    0 Quotes

  16. 🚨 𝐊𝐘𝐁𝐄𝐑𝐗 𝐃𝐢𝐬𝐩𝐚𝐭𝐜𝐡 - 𝐃𝐚𝐢𝐥𝐲 𝐂𝐲𝐛𝐞𝐫 𝐍𝐞𝐰𝐬 - 26-Mar-2025 Recent events have seen significant cyber threats, including: ◾️ Actively exploited zero-day vulnerabilities in Google Chrome (CVE-2025-2783) and Microsoft Windows (CVE-2025-26633), ◾️ Advanced

    @tamasbaloghcom

    26 Mar 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  17. 👀 Running an unpatched Windows system? You’re a target. Hackers are exploiting CVE-2025-26633: EncryptHub hijacks Windows MMC with a stealthy .msc file swap via MUIPath, loading malware like Rhadamanthys and StealC through a fake “en-US” folder. 🧪 Trend Micro calls it "MSC ht

    @TheHackersNews

    26 Mar 2025

    12748 Impressions

    68 Retweets

    103 Likes

    29 Bookmarks

    5 Replies

    0 Quotes

  18. CVE-2025-26633: Water Gamayun Exploits Windows MMC in Active Zero-Day Campaign The Water Gamayun group is leveraging a Windows MMC zero-day to target organizations. Immediate mitigation is advised. https://t.co/iSbc1pkis2 #Cybersecurity #ZeroDay #WindowsMMC

    @adriananglin

    26 Mar 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. EncryptHubがWindowsシステムでのMMCゼロデイ攻撃に関連付けられる(CVE-2025-26633) https://t.co/85oHLd9qUf #Security #セキュリティ #ニュース

    @SecureShield_

    26 Mar 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Threat Alert: CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin CVE-2025-26633 Severity: 🔴 High Maturity: 🧨 Trending Learn more: https://t.co/lBEbpoTVAm #CyberSecurity #ThreatIntel #InfoSec

    @fletch_ai

    26 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Trend Research reports that Russian threat actor Water Gamayun is exploiting the zero-day vulnerability CVE-2025-26633 in Microsoft Management Console to execute malicious code and exfiltrate data. #CyberSecurity #ThreatIntel https://t.co/Z27TgdHpXH

    @Cyber_O51NT

    26 Mar 2025

    161 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  22. 🚨 New threat alert: Water Gamayun exploits CVE-2025-26633 in Microsoft Management Console, running malicious code via MUIPath. Serious risk for enterprises! 🔒 #Russia #Microsoft #ZeroDayVulnerability link: https://t.co/WPa9FIG3i9 https://t.co/KAfo9N9dMx

    @TweetThreatNews

    25 Mar 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. 🚨 EncryptHub exploits CVE-2025-26633 in Microsoft Management Console to execute zero-day attacks on Windows systems, leading to data breaches and ransomware. Ongoing development detected. 🖥️🔒 #Windows #DataBreach #MalwareAnalysis link: https://t.co/kyhBt1MLM8 https://t.co/rx8

    @TweetThreatNews

    25 Mar 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993) https://t.co/uJDJApiniJ https://t.co/AXWFVDaFdd

    @IT_Peurico

    25 Mar 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. ロシア系の高度な脅威グループ「Water Gamayun」が、Windowsの管理ツールであるMMCのゼロデイ脆弱性(CVE-2025-26633)を悪用する攻撃を展開している。 攻撃手法は「MSC

    @yousukezan

    25 Mar 2025

    2638 Impressions

    5 Retweets

    17 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

  26. 1/6 Trend Zero Day Initiative™ (ZDI) has discovered that Russian threat actor Water Gamayun is actively exploiting CVE-2025-26633, a #zeroday #vulnerability in the Microsoft Management Console (MMC). https://t.co/ujSejQte0j

    @TrendMicroRSRCH

    25 Mar 2025

    5077 Impressions

    10 Retweets

    18 Likes

    1 Bookmark

    2 Replies

    1 Quote

  27. 🚨🕵️ 1/3 We've released our research on #CVE-2025-26633 — detailing how Water Gamayun (aka. #EncryptHub) weaponizes MUIPath via the MSC #EvilTwin technique. This bug in Microsoft Management Console (mmc.exe) is abused to proxy execute #malicious code on an infected system.👇🧵 h

    @AliakbarZahravi

    25 Mar 2025

    3241 Impressions

    9 Retweets

    39 Likes

    16 Bookmarks

    3 Replies

    1 Quote

  28. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    23 Mar 2025

    18 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  29. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    21 Mar 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  30. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    21 Mar 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  31. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    20 Mar 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  32. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    19 Mar 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  33. Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993) https://t.co/BiiSgsJ0zP https://t.co/1aVALoUNon

    @Trej0Jass

    18 Mar 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    18 Mar 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  35. Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993) https://t.co/NP9FqFSjkQ https://t.co/zNAUxfGQv6

    @dansantanna

    17 Mar 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993) https://t.co/I1FUNvyWiy https://t.co/gCQYEQrO14

    @NickBla41002745

    17 Mar 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    17 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  38. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    17 Mar 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  39. 🚨 CVE-2025-26633 Alert! 🚨 A critical Windows MMC vulnerability (CVSS 7.0 - High) allows attackers to bypass security features & escalate privileges. https://t.co/8dKFO0kpwj

    @Jordilla_

    16 Mar 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    15 Mar 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  41. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    15 Mar 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  42. Actively exploited CVE : CVE-2025-26633

    @transilienceai

    14 Mar 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  43. Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993) https://t.co/qj9V35ZLqu https://t.co/rJ7ZorckHf

    @TechMash365

    12 Mar 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. 🚨 CVE-2025-26633 🔴 HIGH (7) 🏢 Microsoft - Windows 10 Version 1809 🏗️ 10.0.17763.0 🔗 https://t.co/bbtmYVTsqz #CyberCron #VulnAlert #InfoSec https://t.co/9Q5ddUlgV1

    @cybercronai

    12 Mar 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993) https://t.co/Bs76x1WUgc https://t.co/MnAIyLhIRe

    @secured_cyber

    12 Mar 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993) https://t.co/iEnnKi4FhE https://t.co/edMd37EuBC

    @ggrubamn

    12 Mar 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993) https://t.co/IC5Y4cLVn9 https://t.co/rx1J8mhJit

    @Trej0Jass

    12 Mar 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993) https://t.co/DICKOo36oF https://t.co/QSVFeLKsqy

    @Art_Capella

    12 Mar 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993) https://t.co/Uw6ZamXizW https://t.co/9SAb6FL3MD

    @pcasano

    12 Mar 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. 🔥 Microsoft warns: 6 zero-days under active attack! 🔹 Key threats: CVE-2025-24985 & CVE-2025-24993 – File system flaws allowing remote code execution CVE-2025-24983 – A Win32k zero-day used in the wild with PipeMagic malware CVE-2025-26633 – Security bypass flaw in Microso

    @dysafhackx

    12 Mar 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations