New Dangerous Vulnerability Discovered in Windows MMC
A new security vulnerability, CVE-2025-26633, has been discovered in the Microsoft Management Console (MMC), which is being actively exploited by the Russian hacker group Water Gamayun (also known as EncryptHub and Larva-208). This vulnerability allows attackers to bypass Windows security mechanisms and execute malicious code.
The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog and has urged federal agencies to address the issue by April 1, 2025.
CVE-2025-26633 is a zero-day vulnerability found in the Microsoft Management Console (MMC) software. Hackers exploit this vulnerability by manipulating .msc files and the Multilingual User Interface Path (MUIPath) function, allowing them to run malicious code with administrative privileges on Windows systems.
According to Trend Micro researcher Aliakbar Zahravi, the Water Gamayun group is using an attack method called “MSC EvilTwin” to exploit this vulnerability. This technique disguises malicious programs as legitimate administrative tools, making it difficult to detect.
Exploiting CVE-2025-26633 can lead to several security threats:
✅ Deployment of Malware – Ransomware or spyware could be installed on the system.
✅ Data Theft – Sensitive documents, passwords, and other confidential information could be stolen.
✅ Lateral Movement in the Network – Hackers could move between computers within a network, compromising the entire infrastructure.
✅ Long-Term Control – Attackers could maintain hidden access to systems for extended periods.
The severity of this threat is highlighted by the fact that in the March Patch Tuesday update, Microsoft addressed CVE-2025-26633 along with six other actively exploited zero-day vulnerabilities.
To mitigate the risks associated with CVE-2025-26633, organizations and users should take the following security measures:
1️⃣ Install Security Updates
Immediately install the latest security patches from Microsoft. This is especially important for systems using MMC for remote administration.
2️⃣ Restrict Network Access to MMC
Limit or completely disable network access to MMC ports to make lateral movement within the network more difficult for attackers.
3️⃣ Limit User Privileges
Reduce the number of users with administrative privileges and audit MMC usage to ensure access is granted only when absolutely necessary.
4️⃣ Enable Security Monitoring and Analysis
Activate security monitoring systems and track suspicious MMC activity and abnormal process executions.
5️⃣ Disable Remote MMC Access
If immediate patching is not possible, temporarily disable remote MMC access. However, this may affect some IT operations.
The CVE-2025-26633 vulnerability poses a significant cybersecurity threat and is already being actively exploited by hackers. Organizations and users can effectively protect themselves by installing updates, restricting MMC access, and strengthening security monitoring.
🔴 Reminder! To maintain security, always install updates promptly and limit user privileges. As hackers continuously improve their attack techniques, we must reinforce our defenses!
