CVE-2025-26633

HIGH KEV RANSOMWARE

Microsoft Management Console - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-26633 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 11, 2025, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including Mohammed Idrees Banyamer, mbanyamer, sandsoncosta.

AI-analyzed exploit summary This Python script generates a malicious .msc file that exploits CVE-2025-26633 to execute arbitrary PowerShell commands, specifically adding a local administrator account. The exploit leverages Microsoft Management Console (MMC) to achieve local privilege escalation.

Description

Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.

Exploits (3)

exploitdb WORKING POC
by Mohammed Idrees Banyamer · pythonlocalwindows
https://www.exploit-db.com/exploits/52498

This Python script generates a malicious .msc file that exploits CVE-2025-26633 to execute arbitrary PowerShell commands, specifically adding a local administrator account. The exploit leverages Microsoft Management Console (MMC) to achieve local privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows 10/11 and Windows Server 2016-2025 (pre-March 2025 patches)
Auth required
Prerequisites: Access to a vulnerable Windows system · Ability to execute the generated .msc file
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC 3 stars
by mbanyamer · poc
https://github.com/mbanyamer/MSC-EvilTwin-Local-Privilege-Escalation

This PoC demonstrates CVE-2025-26633, a local privilege escalation vulnerability in Microsoft Management Console (MMC) via a malicious .msc file. It creates a local administrator account when executed by a user with sufficient privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Management Console (MMC) on Windows 10, 11, and Server 2016-2025 (pre-March 2025 patches)
Auth required
Prerequisites: Access to a vulnerable Windows system · Ability to execute the generated .msc file via mmc.exe
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by sandsoncosta · local
https://github.com/sandsoncosta/CVE-2025-26633

This PoC exploits CVE-2025-26633 by dropping malicious `.msc` files in the Windows System32 directory, which are then executed via MMC to achieve remote command execution. The exploit involves a multi-stage payload delivery mechanism, including a PowerShell dropper and a secondary payload fetch.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Management Console (MMC)
No auth needed
Prerequisites: Access to the target system to execute the dropper script · Network connectivity to fetch secondary payloads
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.0
EPSS 0.4532
EPSS Percentile 97.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-03-11
VulnCheck KEV 2025-03-11
ENISA EUVD EUVD-2025-6311
Ransomware Use Confirmed
CWE
CWE-707
Status published
Products (17)
microsoft/windows_10_1507 < 10.0.10240.20947 (2 CPE variants)
microsoft/windows_10_1607 < 10.0.14393.7876 (2 CPE variants)
microsoft/windows_10_1809 < 10.0.17763.7009 (2 CPE variants)
microsoft/windows_10_21h2 < 10.0.19044.5608 (3 CPE variants)
microsoft/windows_10_22h2 < 10.0.19045.5608 (3 CPE variants)
microsoft/windows_11_22h2 < 10.0.22621.5039 (2 CPE variants)
microsoft/windows_11_23h2 < 10.0.22631.5039 (2 CPE variants)
microsoft/windows_11_24h2 < 10.0.26100.3403 (2 CPE variants)
microsoft/windows_server_2008 (2 CPE variants)
microsoft/windows_server_2008 r2 sp1
... and 7 more
Published Mar 11, 2025
KEV Added Mar 11, 2025
Tracked Since Feb 18, 2026