Winsage
March 12, 2025
CISA has identified a critical vulnerability in Microsoft Windows Management Console (MMC), designated as CVE-2025-26633, which allows remote attackers to execute arbitrary code due to improper input sanitization. This vulnerability is included in CISA's Known Exploited Vulnerabilities catalog, and federal agencies must address it by April 2, 2025, as per Binding Operational Directive 22-01. Microsoft has released an out-of-band patch on March 10, 2025, to improve input validation in mmc.exe. Organizations are advised to prioritize patching, restrict MMC access, and monitor for exploitation.
