CVE-2025-26633

ENISA EUVD: EUVD-2025-6311 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 10 articles

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

45.32%

probability

This CVE has a 45.32% probability of being exploited in the next 30 days.

0% Top 97.7th percentile of all CVEs 100%

CVSS v3.1

Source: NVD

7.0

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Temporal

Exploit Code Maturity

Functional

Remediation Level

Official Fix

Report Confidence

Confirmed

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Description

Project Zero

Microsoft Management Console Security Feature Bypass

Affected Products

Microsoft

Windows Server 2022

10.0.20348.0 <10.0.20348.3328

Microsoft

Windows Server 2012

6.2.9200.0 <6.2.9200.25368

Microsoft

Windows Server 2008 Service Pack 2

6.0.6003.0 <6.0.6003.23168

Microsoft

Windows 10 Version 21H2

10.0.19044.0 <10.0.19044.5608

Microsoft

Windows Server 2012 R2 (Server Core installation)

6.3.9600.0 <6.3.9600.22470

Microsoft

Windows Server 2008 Service Pack 2 (Server Core installation)

6.0.6003.0 <6.0.6003.23168

Microsoft

Windows Server 2008 R2 Service Pack 1 (Server Core installation)

6.1.7601.0 <6.1.7601.27618

Microsoft

Windows 10 Version 22H2

10.0.19045.0 <10.0.19045.5608

Microsoft

Windows 11 Version 24H2

10.0.26100.0 <10.0.26100.3476

Microsoft

Windows Server 2025

10.0.26100.0 <10.0.26100.3476

Microsoft

Windows Server 2012 R2

6.3.9600.0 <6.3.9600.22470

Microsoft

Windows Server 2016

10.0.14393.0 <10.0.14393.7876

Microsoft

Windows 10 Version 1607

10.0.14393.0 <10.0.14393.7876

Microsoft

Windows 10 Version 1507

10.0.10240.0 <10.0.10240.20947

Microsoft

Windows 11 Version 23H2

10.0.22631.0 <10.0.22631.5039

Microsoft

Windows Server 2019 (Server Core installation)

10.0.17763.0 <10.0.17763.7009

Microsoft

Windows Server 2022, 23H2 Edition (Server Core installation)

10.0.25398.0 <10.0.25398.1486

Microsoft

Windows 11 version 22H3

10.0.22631.0 <10.0.22631.5039

Microsoft

Windows Server 2012 (Server Core installation)

6.2.9200.0 <6.2.9200.25368

Microsoft

Windows Server 2016 (Server Core installation)

10.0.14393.0 <10.0.14393.7876

Microsoft

Windows Server 2008 Service Pack 2

6.0.6003.0 <6.0.6003.23168

Microsoft

Windows 11 version 22H2

10.0.22621.0 <10.0.22621.5039

Microsoft

Windows 10 Version 1809

10.0.17763.0 <10.0.17763.7009

Microsoft

Windows Server 2025 (Server Core installation)

10.0.26100.0 <10.0.26100.3476

Microsoft

Windows 10 Version 21H2

10.0.19043.0 <10.0.19044.5608

Microsoft

Windows Server 2008 R2 Service Pack 1

6.1.7601.0 <6.1.7601.27618

Microsoft

Windows Server 2019

10.0.17763.0 <10.0.17763.7009

Attack Intelligence

CWE-707 · Improper Neutralization

Google Project Zero

Patched

March 11, 2025

Reported by

Aliakbar Zahravi with Trend Micro

Root Cause Analysis

???

Exploits & PoC

mbanyamer/MSC-EvilTwin-Local-Privilege-Escalation

CVE-2025-26633 (CVSS 7.8) – Zero-day MMC .msc EvilTwin LPE actively exploited by Water Gamayun APT. PoC creates local admin via malicious MSC file on

1 repo — triés par ⭐ Rechercher sur GitHub ↗

URGENT: Microsoft Patches 57 Security Flaws, Including 6 Actively Exploited Zero-Days

TheHackerNews

Microsoft and Adobe Patch Tuesday, March 2025 Security Update Review

Qualys Mar 11, 2025

EncryptHub's dual life: Cybercriminal vs Windows bug-bounty researcher

BleepingComputer Apr 07, 2025

Microsoft patches Windows Kernel zero-day exploited since 2023

BleepingComputer Mar 12, 2025

Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws

BleepingComputer Mar 11, 2025

EncryptHub linked to MMC zero-day attacks on Windows systems

BleepingComputer Mar 25, 2025

⚡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor, and More

TheHackerNews

Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws

TheHackerNews

EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware

TheHackerNews

Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware

TheHackerNews

Signal Intelligence

Confidenceⓘ

82%

EPSS 45.32%

CVSS v3.1 7.0

Mentions 10

Last Seen Apr 07, 2025

CNA Information

Analyst Note

CVE-2025-26633 demonstrates strong confirmation signals: inclusion in Google Project Zero, CVSS 7.0 severity rating, and multiple credible sources (BleepingComputer) reporting active exploitation by threat actors like EncryptHub. The vulnerability affecting Microsoft Management Console with local privilege bypass capability aligns with documented attack patterns, justifying the confirmed status despite CISA KEV non-listing.