Microsoft MMC MSC EvilTwin - Local Admin Creation Exploit
Significant risk β action recommended within 24-48 hours
Basically, a flaw in Windows lets hackers create admin accounts using a fake file.
A new vulnerability in Microsoft MMC allows attackers to create local admin accounts through malicious files. This affects Windows 10 and 11 users. Immediate patching is crucial to prevent unauthorized access.
The Flaw
A newly discovered vulnerability, identified as CVE-2025-26633, affects Microsoft Management Console (MMC) on Windows systems. This flaw allows attackers to create a local administrator account through a malicious .msc file. The vulnerability has a CVSS score of 7.8, indicating a high severity level.
What's at Risk
The exploit can lead to arbitrary code execution with the privileges of the user opening the malicious file. This means that if an unsuspecting user executes the file, an attacker can gain full administrative access to the system. The vulnerability affects all editions of Windows 10 and 11, as well as Windows Server 2016-2025.
Patch Status
Microsoft has released patches addressing this vulnerability in their March 2025 Patch Tuesday updates. Users are advised to apply updates such as KB5053602 and later to mitigate the risk of exploitation.
Immediate Actions
To protect your systems, follow these steps:
- Apply the latest Microsoft patches immediately.
- Monitor for unusual account creations or administrative access on your systems.
- Educate users about the risks of executing unknown files, especially
.mscfiles.
Exploit Details
The exploit involves creating a malicious .msc file that, when executed, silently adds a local administrator account named "hacker" with a preset password. This method is a post-exploitation technique commonly used in real-world attacks, including those attributed to the Water Gamayun APT group.
Conclusion
The CVE-2025-26633 vulnerability represents a significant threat to unpatched Windows systems. Immediate action is necessary to prevent unauthorized access and potential data breaches. Ensure your systems are updated and educate your users to recognize potential threats.
π How to Check If You're Affected
- 1.Check for the presence of unauthorized local administrator accounts.
- 2.Review system logs for unusual activity related to account creation.
- 3.Ensure that the latest Microsoft patches are applied to all systems.
πΊοΈ MITRE ATT&CK Techniques
π Pro insight: The exploitation of this vulnerability highlights the need for rigorous patch management and user education to prevent unauthorized access.