As the security community continues to analyze the full scope of the Water Gamayun campaign, users are urged to stay informed and take immediate action to protect their systems from this significant threat. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory, adding CVE-2025-26633 to its Known Exploited Vulnerabilities Catalog and mandating federal agencies to patch affected systems by April 1, 2025. With the potential for this vulnerability to be chained with other recently disclosed flaws affecting Windows file systems and kernel components, the urgency to address these security issues cannot be overstated. The vulnerability, CVE-2025-26633, allows attackers to bypass security features and execute malicious code on targeted systems. By manipulating Microsoft Console (.msc) files and abusing the Multilingual User Interface Path (MUIPath) feature, attackers can trick the system into executing malicious code while appearing to run legitimate administrative tools. A sophisticated campaign by Russian threat actors exploiting a critical zero-day vulnerability in the Microsoft Management Console (MMC). Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The vulnerability affects a wide range of Windows versions, with older systems like Windows Server 2016 and earlier being particularly at risk due to weaker default protections. Trend Research identified the Russian hacking group Water Gamayun (also known as EncryptHub and Larva-208) as the primary threat actor behind this campaign. These tools enable the threat actors to maintain persistence on compromised systems and exfiltrate sensitive data to command-and-control servers. Security experts warn that the impact of this vulnerability extends far beyond immediate code execution. Apply the latest security patches immediately, prioritizing systems using MMC for remote administration. As attackers continue to refine their tactics and target critical system components, maintaining vigilant cybersecurity practices and prompt patching remains paramount for organizations and individuals alike. The group has weaponized the vulnerability, dubbed “MSC EvilTwin,” to deliver a range of malicious payloads, including information stealers and backdoors. The severity of the threat is underscored by its inclusion in Microsoft’s March 2025 Patch Tuesday update, which addressed a total of six actively exploited zero-day vulnerabilities.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 25 Mar 2025 17:00:28 +0000