Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-26633 PoC — Microsoft Management Console 安全漏洞

Source
https://github.com/mbanyamer/MSC-EvilTwin-Local-Privilege-Escalation
Associated Vulnerability
Title:Microsoft Management Console 安全漏洞 (CVE-2025-26633)
Description:Microsoft Management Console是美国微软(Microsoft)公司的一个通用的管理控制台框架,用于承载和管理各种系统管理工具(称为控制台插件或管理单元)。 Microsoft Management Console存在安全漏洞。攻击者利用该漏洞可以绕过某些功能。以下产品和版本受到影响:Windows Server 2016 (Server Core installation),Windows Server 2008 for 32-bit Systems Service Pack 2
Description
CVE-2025-26633 (CVSS 7.8) – Zero-day MMC .msc EvilTwin LPE actively exploited by Water Gamayun APT. PoC creates local admin via malicious MSC file on unpatched Windows 10/11/Server. Patched March 2025. Authorized testing only.
Readme
# CVE-2025-26633 - Microsoft Management Console (.msc) EvilTwin Local Privilege Escalation PoC

> **Zero-day at time of disclosure (March 2025)** – Actively exploited in the wild by Water Gamayun APT  
> **ONLY FOR AUTHORIZED SECURITY TESTING AND RESEARCH**

![](https://img.shields.io/badge/CVSS-7.8%20High-red)
![](https://img.shields.io/badge/CVE-2025--26633-critical)
![](https://img.shields.io/badge/Platform-Windows-blue)
![](https://img.shields.io/badge/Type-Local%20Privilege%20Escalation-orange)

## Vulnerability Details

- **Exploit Title**: Microsoft Management Console (MMC) - MSC EvilTwin Local Privilege Escalation / Arbitrary Code Execution  
- **CVE**: [CVE-2025-26633](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633)  
- **CVSS v3.1**: `7.8` (High) – `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`  
- **Affected Systems**:  
  - Windows 10 (all editions)  
  - Windows 11 (all editions)  
  - Windows Server 2016 – 2025  
  → **Unpatched systems before March 2025 Patch Tuesday**  
- **Patched in**: March 2025 updates (e.g., KB5053602 and later)  
- **Discovery & Disclosure**: Coordinated via Zero Day Initiative  
- **ZDI Advisory**: [ZDI-25-150](https://www.zerodayinitiative.com/advisories/ZDI-25-25-150/)  
- **Microsoft Advisory**: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633

## Author

- **Mohammed Idrees Banyamer**  
  Jordan | Security Researcher  
  Instagram: [@banyamer_security](https://instagram.com/banyamer_security)  
  GitHub: [https://github.com/mbanyamer](https://github.com/mbanyamer)

## Proof of Concept

This repository contains a **proof-of-concept exploit** that demonstrates arbitrary command execution via a malicious `.msc` (MMC snap-in) file.

When a low-privileged user opens the crafted `.msc` file using `mmc.exe`, the embedded `RunCommand` action is executed **with the user's privileges** — allowing post-exploitation lateral movement or privilege escalation in certain attack chains.

The current PoC silently creates a local administrator account:

- Username: `hacker`
- Password: `P@ssw0rd123!`

### Usage 

```bash
python3 cve-2025-26633_poc.py
File Snapshot

 [4.0K]  /data/pocs/0bb40d6f35bee16f1bcda1ce623f3ee52f311abb
├── [3.5K]  CVE-2025-26633_mmc_addadmin.py
├── [ 34K]  LICENSE
└── [2.1K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.