CVE-2025-26633
CVE-2025-26633 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-03-11). The underlying weakness is classified as CWE-707.
Key facts
- Severity: High (CVSS 3.x base score 7.0)
- EPSS exploit prediction: 32% (98th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-03-11)
- EU (EUVD) id: EUVD-2025-6311
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-03-11)
- Weakness: CWE-707
- Affected product: Microsoft Windows 10 1507
- Published:
- Last modified:
Description
Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.
CVE-2025-26633: Microsoft Management Console Security Feature Bypass
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2025-26633 is a security feature bypass vulnerability in Microsoft Management Console (MMC). It was published on March 11, 2025, and stems from improper neutralization of input (CWE-707). An unauthorized attacker with local access and user interaction can bypass security controls.
Background
Microsoft Management Console is a Windows administrative framework used to create, save, and open management tools called snap-ins. MMC is a core component of the Windows management ecosystem, providing a unified interface for system administrators to manage hardware, software, and network components. Because MMC runs with elevated privileges in many administrative contexts, a security feature bypass within it can undermine trust boundaries.
Root Cause
The vulnerability is classified under CWE-707: Improper Neutralization. The flaw exists because MMC fails to properly neutralize or sanitize input during processing, allowing an attacker to manipulate the console's behavior and bypass intended security restrictions. This typically occurs when untrusted data is accepted without adequate validation, enabling unexpected execution paths that circumvent security features.
Impact
The Common Vulnerability Scoring System version 3.1 assigns this flaw a base score of 7.0 (HIGH). The vector is CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, which reflects a local attack vector, high attack complexity, no privileges required, required user interaction, and unchanged scope. Despite the local and interactive requirements, a successful exploit yields high impact across confidentiality, integrity, and availability. The Exploit Prediction Scoring System gives this vulnerability a score of 0.31894, placing it in the 98.1st percentile, indicating a very high probability of active exploitation.
Exploitation Walkthrough
This vulnerability requires an attacker to have local access to the target system and to convince a user to perform an action that triggers the flaw. From a defensive perspective, the attack chain typically begins with an attacker placing a malicious file or interacting with a compromised MMC snap-in. The attacker then relies on social engineering or an existing foothold to induce the user to open or interact with the crafted content. Because the exact mechanics are not publicly disclosed in detail, defenders should assume that any unexpected MMC invocation from untrusted sources is suspicious. Organizations should treat this as an active threat: it is present in CISA's Known Exploited Vulnerabilities catalog and has been flagged as exploited in the EU since March 11, 2025.
Affected and Patched Versions
This vulnerability affects a broad range of Windows client and server operating systems. Affected products include:
- Windows 10 versions 1507, 1607, 1809, 21H2, and 22H2
- Windows 11 versions 22H2, 23H2, and 24H2
- Windows Server 2008 SP2 and R2 SP1
- Windows Server 2012 and 2012 R2
- Windows Server 2016, 2019, and 2022
- Windows Server 2022 23H2
- Windows Server 2025
Microsoft has released security updates through the Microsoft Security Response Center. Administrators should verify patch status through the official MSRC advisory listed in the References section.
Remediation
Primary remediation is to apply the Microsoft security updates for CVE-2025-26633 as soon as possible. Until patching is complete, organizations should implement the following compensating controls:
- Restrict local access to sensitive systems and enforce the principle of least privilege.
- Enable and review User Account Control (UAC) prompts to reduce the likelihood of successful bypass.
- Train users to avoid opening unexpected files or snap-ins, especially from untrusted sources.
- Consider using application control policies to limit which MMC snap-ins can execute.
- Deploy the mitigation script referenced by Vicarius if available for your environment.
Detection
Defenders can monitor for anomalous MMC process launches, especially when initiated by unusual parent processes or from non-standard directories. Look for mmc.exe spawning with unexpected command-line arguments or loading snap-ins from user-writable paths. The Vicarius community has published a detection script that can help identify exploitation attempts. Additionally, endpoint detection and response (EDR) platforms should be tuned to alert on mmc.exe behavior that deviates from known administrative baselines.
Assessment
This vulnerability carries significant risk due to its presence in the CISA Known Exploited Vulnerabilities catalog and its high EPSS percentile. The fact that it is actively exploited in the wild, with EU exploitation confirmed since March 11, 2025, means that unpatched systems are under immediate threat. Two lessons stand out: first, even local attack vectors with user interaction requirements can be weaponized when paired with social engineering or initial access techniques; second, core Windows administrative tools like MMC require the same rigorous input validation as externally facing applications.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633
- https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-detection-script
- https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-mitigation-script
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26633
Frequently asked questions
- What is CVE-2025-26633?
- Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.
- How severe is CVE-2025-26633?
- CVE-2025-26633 has a CVSS 3.x base score of 7.0, rated high severity. It is exploitable over local access with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-26633 being actively exploited?
- Yes. CVE-2025-26633 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-03-11, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-26633?
- CVE-2025-26633 primarily affects Microsoft Windows 10 1507. In total, 28 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-26633?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-26633 have an EU (EUVD) identifier?
- Yes. CVE-2025-26633 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-6311. It is also flagged as exploited in the EUVD (since 2025-03-11).
- When was CVE-2025-26633 published?
- CVE-2025-26633 was published on 2025-03-11 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633
- https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-detection-script
- https://www.vicarius.io/vsociety/posts/cve-2025-26633-security-feature-bypass-in-microsoft-management-console-mitigation-script
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26633
Affected products (28)
- cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:*
- cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
- cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
- cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*
- cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*
- cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*
- cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*
- cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:arm64:*
- cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*
- cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*
- cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:x64:*
More vulnerabilities in Microsoft Windows 10 1507
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
- CVE-2025-21307 — Critical (CVSS 9.8): Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21298 — Critical (CVSS 9.8): Windows OLE Remote Code Execution Vulnerability
- CVE-2024-49112 — Critical (CVSS 9.8): Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2024-43491 — Critical (CVSS 9.8): Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities…
All CVEs affecting Microsoft Windows 10 1507 →
Other CWE-707 (Improper Neutralization) vulnerabilities
- CVE-2023-46689 — High (CVSS 8.8): Improper neutralization in Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to…
- CVE-2023-42773 — High (CVSS 8.8): Improper neutralization in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to…
- CVE-2026-4249 — High (CVSS 8.6): The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without…
- CVE-2024-43572 — High (CVSS 7.8): Microsoft Management Console Remote Code Execution Vulnerability
- CVE-2019-10052 — High (CVSS 7.5): An issue was discovered in Suricata 4.1.3. If the network packet does not have the right length, the parser tries to…
- CVE-2018-3918 — High (CVSS 7.5): An exploitable vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version…
Browse all CWE-707 (Improper Neutralization) vulnerabilities →