Exposures › CVE-2025-26633
CVE-2025-26633
An unpatched MMC vulnerability in Windows allows local attackers to bypass security features, and it is actively exploited in the wild.
Microsoft's Windows Management Console (MMC) contains an improper neutralization vulnerability that lets unauthorized attackers bypass local security controls. Because it is in CISA's KEV catalog and ransomware-linked, DIB organizations must ensure this is patched immediately to prevent local privilege escalation and lateral movement. Failure to patch exposes systems to active exploitation, violating CMMC/NIST 800-171 requirements for timely patching and increasing the risk of ransomware compromise.
Shame score — The vulnerability is actively exploited in the wild, linked to ransomware, and remains unpatched in the KEV catalog, indicating severe negligence and avoidable risk.
Players implicated
Description
Microsoft Windows Management Console (MMC) contains an improper neutralization vulnerability that allows an unauthorized attacker to bypass a security feature locally.
Affected FedRAMP products 4 in the catalog
| Product | Provider | Status | Match |
|---|---|---|---|
| Azure Commercial Cloud | Microsoft | Authorized | vendor-exact · 0.90 |
| Azure Government (includes Dynamics 365) | Microsoft | Authorized | vendor-exact · 0.90 |
| Microsoft Office 365 GCC High | Microsoft | In Process | vendor-exact · 0.90 |
| Office 365 Multi-Tenant & Supporting Services | Microsoft | Authorized | vendor-exact · 0.90 |