Microsoft MMC MSC EvilTwin Exploit Enables Silent Local Administrator Creation on Unpatched Windows 10/11 and Server Systems
What Happened — A publicly disclosed exploit (CVE‑2025‑26633) uses a malicious .msc console file to silently add a local administrator account on vulnerable Windows installations. The technique is a living‑off‑the‑land post‑exploitation method and has been observed in the wild by the Water Gamayun APT group.
Why It Matters for TPRM —
- Unpatched Windows endpoints in third‑party environments become a foothold for attackers, threatening the broader supply chain.
- Automatic creation of a privileged local account enables lateral movement, ransomware deployment, and data exfiltration against client data.
- The exploit requires only user interaction, raising risk for remote‑support and managed‑service relationships.
Who Is Affected — Organizations running Windows 10 (all editions), Windows 11 (all editions), and Windows Server 2016‑2025 that have not applied the March 2025 security updates; Managed Service Providers (MSPs), cloud‑hosted workloads, and any vendor supplying Windows‑based desktops or servers.
Recommended Actions —
- Verify that all Windows assets have installed the March 2025 patches (e.g., KB5053602 or later).
- Enforce least‑privilege policies and block execution of
.mscfiles from untrusted locations. - Update endpoint detection and response (EDR) rules to alert on creation of unknown local admin accounts.
Technical Notes — Attack vector: malicious .msc file opened locally (local privilege escalation). CVE‑2025‑26633 CVSS 7.8 High. Payload adds a “hacker” local user and adds it to the Administrators group via PowerShell. Advisory: ZDI‑25‑25‑150. Source: https://www.exploit-db.com/exploits/52498