CVE-2025-26633

What is Windows Management Console (MMC)?

Windows Management Console (MMC) is the framework that hosts administrative snap-ins — the management tools (.msc files) administrators use to manage Windows systems. When a user double-clicks a .msc file (such as compmgmt.msc for Computer Management or gpedit.msc for Group Policy Editor), Windows launches MMC which loads and renders the snap-in. .msc files are XML documents that describe the console structure, and MMC processes them with elevated trust because they are designed as administrative tools. This trust has historically been exploited through techniques like "HTA Smuggling" within .msc files.

Overview

CVE-2025-26633 is an improper neutralization vulnerability (CWE-707) in Windows Management Console's handling of .msc files, exploited via the "MSC EvilTwin" technique. A threat actor crafts a malicious .msc file that bypasses Windows security features when opened by a user. EncryptHub (also tracked as Larva-208 by Trend Micro), a financially motivated Russian-aligned threat actor, exploited this as a zero-day before March 2025 Patch Tuesday to deliver malware including Rhadamanthys, StealC, and EncryptHub Stealer, with RansomHub ransomware deployed in some campaigns. CISA added it to the KEV catalog on patch day.

Affected Versions

Technical Details

The MSC EvilTwin technique exploits improper neutralization (CWE-707) in how MMC processes .msc XML content. A crafted .msc file can include references or elements that, when processed by MMC, bypass Windows security feature checks (such as Smart App Control or Windows Defender's detection of dangerous content) and cause code execution.

The technique works by embedding executable content within the .msc file structure in a way that exploits MMC's privileged file processing context — similar in concept to "HTA smuggling" where execution is triggered through trusted infrastructure rather than directly executed code. The attacker delivers the crafted .msc file via phishing (email attachment, download link) or via a compromised website.

Key characteristics:

• No privileges required (PR:N) — any user account suffices
• User interaction required (UI:R) — the victim must open the .msc file
• High attack complexity (AC:H) — requires crafting the EvilTwin bypass correctly
• Bypasses security features: Smart App Control, Windows Defender MOTW restrictions

Discovery

EncryptHub/Larva-208 was identified exploiting this as a zero-day before March 2025 Patch Tuesday. Trend Micro and Microsoft jointly investigated and disclosed the attribution.

Exploitation Context

EncryptHub (Larva-208) is a Russian-aligned, financially motivated threat actor first observed in late 2023 that operates ransomware-as-a-service and information stealing campaigns. They exploited CVE-2025-26633 in phishing campaigns delivering:

• Rhadamanthys: information stealer targeting cryptocurrency wallets, credentials, and browser data
• StealC: credential and data stealer
• EncryptHub Stealer: custom stealer tool developed by the group
• RansomHub ransomware: in targeted ransomware campaigns against high-value organizations

The ransomwareUse: true flag confirms RansomHub deployment via this vulnerability. EncryptHub's campaigns targeted organizations across multiple sectors; the .msc file delivery vector is effective because many organizations do not block .msc attachments at the email gateway.

Remediation

1. Apply the March 2025 cumulative update immediately. The CISA deadline was April 1, 2025.
2. Block .msc file attachments at the email gateway — these files have no legitimate use as email attachments; they should be quarantined.
3. Configure Windows Defender to treat .msc files with MOTW — ensure Mark of the Web is applied to downloaded .msc files and that Windows security checks are not bypassed for them.
4. Enable Smart App Control on Windows 11 where possible — while CVE-2025-26633 bypassed SAC before the patch, post-patch SAC provides additional layered protection against similar techniques.
5. Monitor for EncryptHub indicators: look for Rhadamanthys, StealC, and EncryptHub Stealer processes; unusual .msc file execution events in Windows Security event logs.