Background
Microsoft Management Console (MMC) is the host for Windows administrative snap-ins — things like Event Viewer, Device Manager, Group Policy Editor, and hundreds of third-party management tools. MMC files (.msc) are executable in the sense that opening them runs the snap-in they reference, and malicious .msc files have been used as attack vectors historically.
CVE-2025-26633 was patched in March 2025 and confirmed as actively exploited before the patch. Trend Micro researchers attributed exploitation to EncryptHub (also tracked as LARVA-208 and Water Gamayun), a threat actor associated with multi-stage malware delivery. The bypass is specifically designed to evade Windows security features that would normally warn users about potentially dangerous files.
Technical Mechanism
When MMC opens a .msc file, Windows applies security checks — including SmartScreen or related Mark of the Web (MotW) checks — to determine whether to warn the user. CVE-2025-26633 exploits a flaw in how MMC handles certain .msc file structures or associated metadata that bypasses these security checks.
The bypass works through a crafted .msc file that manipulates the way MMC resolves custom snap-in paths or resources:
- A malicious
.mscfile is crafted to reference a custom or specially constructed MMC snap-in - When the file is processed by MMC, the security check that should flag the file as potentially dangerous is bypassed
- MMC proceeds to execute the referenced snap-in or payload without displaying a warning
- The payload — in EncryptHub’s case, typically a downloader for further malware — executes
The exploit path bypasses user-facing security warnings, so users see nothing unusual. The .msc file may even look like a legitimate management tool.
Real-World Exploitation Evidence
Trend Micro’s research on EncryptHub campaigns identified this zero-day:
- EncryptHub (LARVA-208 / Water Gamayun) — a financially motivated threat actor using sophisticated phishing campaigns and living-off-the-land techniques
- Multi-stage malware delivery — the MMC bypass was used to deliver a downloader, which then retrieved secondary payloads including remote access trojans and information stealers
- Phishing delivery — malicious
.mscfiles delivered via phishing emails, sometimes disguised as legitimate management tools - EncryptHub Stealer — the actor’s custom information stealer, harvesting credentials and browser data
- Rhadamanthys / SilentPrism — additional payloads observed in EncryptHub campaigns leveraging this vulnerability
The targeting was broad — not narrowly focused, suggesting the exploit was being used for opportunistic access across multiple target types.
Impact Assessment
- Malware execution without security warning — users see no SmartScreen/security warning
- Credential theft — EncryptHub Stealer and Rhadamanthys harvest stored credentials, cookies, and crypto wallet data
- Remote access — RAT payloads maintain persistent access to compromised systems
- Supply chain potential — if a threat actor can compromise an admin who regularly uses
.mscfiles, the impact is significantly elevated - Trusted file type abuse —
.mscfiles are used by IT administrators; blocking them broadly is often not feasible in managed enterprise environments
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Windows 10 (21H2, 22H2) | Before March 2025 patches | KB5053606 |
| Windows 11 (22H2, 23H2, 24H2) | Before March 2025 patches | KB5053602, KB5053603 |
| Windows Server 2019 | Before March 2025 patches | KB5053596 |
| Windows Server 2022 | Before March 2025 patches | KB5053622 |
| Windows Server 2025 | Before March 2025 patches | KB5053598 |
Remediation Steps
- Apply March 2025 Patch Tuesday updates
- If
.mscfiles are received via email or downloaded from the internet, configure email gateway to quarantine them:.mscfiles have very limited legitimate use in email attachments
- Deploy AppLocker or WDAC rules to restrict MMC to loading only approved snap-ins:
# AppLocker publisher rule for legitimate MMC snap-ins # Block unsigned or non-whitelisted .msc files from running - Monitor for EncryptHub IOCs on endpoints:
- Check threat intel feeds for current EncryptHub infrastructure hashes and IPs
- Enable PowerShell script block logging and AMSI logging to detect post-exploitation activity
Detection Guidance
File monitoring — alert on .msc files:
- Downloaded from the internet (MotW tagged)
- Received as email attachments
- Located in unusual directories (temp, downloads, user profile)
Process monitoring — look for mmc.exe executing with unusual parameters or spawning unexpected child processes:
process_name = "mmc.exe" AND (
child_process_name IN ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe") OR
parent_process_name NOT IN ("explorer.exe", "mmc.exe")
)Windows Event Logs:
- Event ID 4688: Process creation with
mmc.exeas parent to unexpected children - AppLocker events if block rules are in place
Suricata signature:
alert http any any -> any any (msg:"Possible EncryptHub/CVE-2025-26633 Payload Delivery"; flow:established,from_server; file.data; content:"MZ"; offset:0; depth:2; file.name; content:".msc"; endswith; classtype:web-application-attack; sid:2034024; rev:1;)Timeline
| Date | Event |
|---|---|
| 2025 (pre-patch) | EncryptHub exploits CVE-2025-26633 as zero-day |
| March 2025 | Trend Micro discovers active exploitation and reports to Microsoft |
| 11 March 2025 | Microsoft patches CVE-2025-26633 in March Patch Tuesday |
| March 2025 | CISA adds to Known Exploited Vulnerabilities catalogue |
| March 2025 | Trend Micro publishes analysis of EncryptHub campaigns |