Cyber Posture

CVE-2025-26633

HighCISA KEVActive ExploitationPublic PoCRansomware-linked

Published: 11 March 2025

Published
11 March 2025
Modified
27 October 2025
KEV Added
11 March 2025
Patch
CVSS Score 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.4252 97.5th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse mmc.

Security Summary

CVE-2025-26633 is an improper neutralization vulnerability in the Microsoft Management Console (MMC) that enables an unauthorized attacker to bypass a security feature locally. Published on 2025-03-11, the issue is associated with CWE-707 and carries a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high potential impact despite requiring local access and user interaction.

An unauthorized attacker with local access to the system can exploit this vulnerability, which demands high attack complexity and user interaction but no special privileges. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, effectively bypassing MMC security controls.

Microsoft's Security Response Center provides an update guide for remediation at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633. Vicarius offers a detection script at https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-detection-script and a mitigation script at https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-mitigation-script.

The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26633, indicating real-world exploitation.

Details

CWE(s)
CWE-707NVD-CWE-noinfo
KEV Date Added
11 March 2025

Affected Products

microsoft
windows 10 1507
≤ 10.0.10240.20947 · ≤ 10.0.10240.20947
microsoft
windows 10 1607
≤ 10.0.14393.7876 · ≤ 10.0.14393.7876
microsoft
windows 10 1809
≤ 10.0.17763.7009 · ≤ 10.0.17763.7009
microsoft
windows 10 21h2
≤ 10.0.19044.5608 · ≤ 10.0.19044.5608 · ≤ 10.0.19044.5608
microsoft
windows 10 22h2
≤ 10.0.19045.5608 · ≤ 10.0.19045.5608 · ≤ 10.0.19045.5608
microsoft
windows 11 22h2
≤ 10.0.22621.5039 · ≤ 10.0.22621.5039
microsoft
windows 11 23h2
≤ 10.0.22631.5039 · ≤ 10.0.22631.5039
microsoft
windows 11 24h2
≤ 10.0.26100.3403 · ≤ 10.0.26100.3403
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
+5 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise Techniques

T1218.014 MMC Stealth
Adversaries may abuse mmc.
attack.mitre.org →
Why these techniques?

The vulnerability is a local security feature bypass in MMC, directly enabling adversaries to use MMC for proxy execution of malicious payloads or snap-ins while evading intended controls.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References