CVE-2025-26633

CVE-2025-26633 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-03-11). The underlying weakness is classified as CWE-707.

Key facts

Description

Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.

CVE-2025-26633: Microsoft Management Console Security Feature Bypass

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2025-26633 is a security feature bypass vulnerability in Microsoft Management Console (MMC). It was published on March 11, 2025, and stems from improper neutralization of input (CWE-707). An unauthorized attacker with local access and user interaction can bypass security controls.

Background

Microsoft Management Console is a Windows administrative framework used to create, save, and open management tools called snap-ins. MMC is a core component of the Windows management ecosystem, providing a unified interface for system administrators to manage hardware, software, and network components. Because MMC runs with elevated privileges in many administrative contexts, a security feature bypass within it can undermine trust boundaries.

Root Cause

The vulnerability is classified under CWE-707: Improper Neutralization. The flaw exists because MMC fails to properly neutralize or sanitize input during processing, allowing an attacker to manipulate the console's behavior and bypass intended security restrictions. This typically occurs when untrusted data is accepted without adequate validation, enabling unexpected execution paths that circumvent security features.

Impact

The Common Vulnerability Scoring System version 3.1 assigns this flaw a base score of 7.0 (HIGH). The vector is CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, which reflects a local attack vector, high attack complexity, no privileges required, required user interaction, and unchanged scope. Despite the local and interactive requirements, a successful exploit yields high impact across confidentiality, integrity, and availability. The Exploit Prediction Scoring System gives this vulnerability a score of 0.31894, placing it in the 98.1st percentile, indicating a very high probability of active exploitation.

Exploitation Walkthrough

This vulnerability requires an attacker to have local access to the target system and to convince a user to perform an action that triggers the flaw. From a defensive perspective, the attack chain typically begins with an attacker placing a malicious file or interacting with a compromised MMC snap-in. The attacker then relies on social engineering or an existing foothold to induce the user to open or interact with the crafted content. Because the exact mechanics are not publicly disclosed in detail, defenders should assume that any unexpected MMC invocation from untrusted sources is suspicious. Organizations should treat this as an active threat: it is present in CISA's Known Exploited Vulnerabilities catalog and has been flagged as exploited in the EU since March 11, 2025.

Affected and Patched Versions

This vulnerability affects a broad range of Windows client and server operating systems. Affected products include:

  • Windows 10 versions 1507, 1607, 1809, 21H2, and 22H2
  • Windows 11 versions 22H2, 23H2, and 24H2
  • Windows Server 2008 SP2 and R2 SP1
  • Windows Server 2012 and 2012 R2
  • Windows Server 2016, 2019, and 2022
  • Windows Server 2022 23H2
  • Windows Server 2025

Microsoft has released security updates through the Microsoft Security Response Center. Administrators should verify patch status through the official MSRC advisory listed in the References section.

Remediation

Primary remediation is to apply the Microsoft security updates for CVE-2025-26633 as soon as possible. Until patching is complete, organizations should implement the following compensating controls:

  • Restrict local access to sensitive systems and enforce the principle of least privilege.
  • Enable and review User Account Control (UAC) prompts to reduce the likelihood of successful bypass.
  • Train users to avoid opening unexpected files or snap-ins, especially from untrusted sources.
  • Consider using application control policies to limit which MMC snap-ins can execute.
  • Deploy the mitigation script referenced by Vicarius if available for your environment.

Detection

Defenders can monitor for anomalous MMC process launches, especially when initiated by unusual parent processes or from non-standard directories. Look for mmc.exe spawning with unexpected command-line arguments or loading snap-ins from user-writable paths. The Vicarius community has published a detection script that can help identify exploitation attempts. Additionally, endpoint detection and response (EDR) platforms should be tuned to alert on mmc.exe behavior that deviates from known administrative baselines.

Assessment

This vulnerability carries significant risk due to its presence in the CISA Known Exploited Vulnerabilities catalog and its high EPSS percentile. The fact that it is actively exploited in the wild, with EU exploitation confirmed since March 11, 2025, means that unpatched systems are under immediate threat. Two lessons stand out: first, even local attack vectors with user interaction requirements can be weaponized when paired with social engineering or initial access techniques; second, core Windows administrative tools like MMC require the same rigorous input validation as externally facing applications.

References

Frequently asked questions

What is CVE-2025-26633?
Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.
How severe is CVE-2025-26633?
CVE-2025-26633 has a CVSS 3.x base score of 7.0, rated high severity. It is exploitable over local access with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2025-26633 being actively exploited?
Yes. CVE-2025-26633 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-03-11, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2025-26633?
CVE-2025-26633 primarily affects Microsoft Windows 10 1507. In total, 28 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2025-26633?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2025-26633 have an EU (EUVD) identifier?
Yes. CVE-2025-26633 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-6311. It is also flagged as exploited in the EUVD (since 2025-03-11).
When was CVE-2025-26633 published?
CVE-2025-26633 was published on 2025-03-11 and last updated on 2026-06-17.

References

Affected products (28)

More vulnerabilities in Microsoft Windows 10 1507

All CVEs affecting Microsoft Windows 10 1507 →

Other CWE-707 (Improper Neutralization) vulnerabilities

Browse all CWE-707 (Improper Neutralization) vulnerabilities →