{
	"id": "76c61327-ee92-4e56-9d05-1d7d3322e61f",
	"created_at": "2026-04-06T00:12:58.447445Z",
	"updated_at": "2026-04-10T03:20:47.976736Z",
	"deleted_at": null,
	"sha1_hash": "a0909fb00ab5590c1912ad435cf45143870545ec",
	"title": "Microsoft Management Console (MMC) Vulnerabilities - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67406,
	"plain_text": "Microsoft Management Console (MMC) Vulnerabilities - Check\r\nPoint Research\r\nBy deugenio\r\nPublished: 2019-06-11 · Archived: 2026-04-05 15:10:43 UTC\r\nResearch by: Eran Vaknin and Alon Boxiner\r\nThe goal of Microsoft Management Console (MMC) is to provide a programming platform for creating and\r\nhosting applications that manage Microsoft Windows-based environment, and to provide a simple, consistent and\r\nintegrated management user interface and administration model.\r\nRecently, Check Point Research discovered several vulnerabilities in the console that would allow an attacker to\r\ndeliver a malicious payload.\r\nMicrosoft has granted CVE-2019-0948 to this vulnerability and patched it in their June 11\r\nth\r\n Patch Tuesday\r\nrelease.\r\nVulnerability Description:\r\n1) Multiple XSS vulnerabilities due to misconfigured WebView.\r\nMMC has an integrated Snap-In component which in turn contains several mechanisms such as ActiveX Control,\r\nLink to Web Address, etc.\r\n1. As an attacker chooses the Link to Web Address snap-in, he can insert a url to his server which contains an\r\nhtml page with a malicious payload.\r\nAs the victim opens the malicious .msc file, a web-view is opened (within the MMC window) and the\r\nmalicious payload is executed.\r\nWe have successfully managed to insert malicious URL link that contains malicious payloads such as\r\nredirection to SMB server that will capture the user NTLM hash.\r\nMoreover, it is also possible to execute VBS script on the victims’ host via the mentioned web-view.\r\n2. An attacker chooses the ActiveX Control snap-in (all ActiveX controls are vulnerable) and saves it to file\r\n(.msc file). In the .msc file, under the StringsTables section, the attacker changes the third string value to\r\nmalicious url under his control, containing an html page with a malicious payload. As mentions in sections\r\na (above) – we have successfully managed to insert malicious URL link that contains malicious payloads\r\nsuch as redirection to SMB server that will capture the user NTLM hash.\r\nMoreover, it is also possible to execute VBS script on the victims’ host via the mentioned web-view.\r\nAs the victim opens the malicious .msc file, a web-view is opened (within the MMC window) and the\r\nmalicious payload is executed.\r\n2) XXE Vulnerability due to misconfigured XML parser.\r\nhttps://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/\r\nPage 1 of 11\n\nA victim opens the MMC and chooses the event viewer snap-in and clicks on Action and then on Import Custom\r\nView. As soon as a malicious XML file is chosen (containing an XXE payload) any file from the victims host is\r\nsent to the attacker.\r\nThis is possible due to a misconfigured XML parser defined within the MMC custom view functionality.\r\nProof of Concept\r\n1) Link to Web Address snap-in Cross-Site Scripting (XSS):\r\nThe attacker adds a new snap-in:\r\nThe victim chooses a Link to Web Address snap in:\r\nhttps://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/\r\nPage 2 of 11\n\nThe attacker then types the path to his server containing the malicious payload:\r\nThe attacker saves the .msc file and sends it to the victim:\r\nhttps://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/\r\nPage 3 of 11\n\nThe malicious .msc file contains the path to the attacker’s server:\r\nAs the victim opens the malicious .msc file VBS code is executed:\r\nhttps://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/\r\nPage 4 of 11\n\n2) ActiveX Control snap-ins: (Adobe Acrobat DC Browser example):\r\nThe attacker adds a new snap-in:\r\nThe attacker chooses an ActiveX Control snap-in:\r\nhttps://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/\r\nPage 5 of 11\n\nThe ActiveX Control mechanism is then chosen (Adobe Acrobat DC Browser as an example):\r\nThe attacker saves the .msc file and sends it to the victim:\r\nhttps://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/\r\nPage 6 of 11\n\nThe malicious .msc file containing the path to the attacker’s server:\r\nAs the victim opens the malicious .msc file VBS code is executed:\r\nhttps://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/\r\nPage 7 of 11\n\n3) XXE Vulnerability Due to Misconfigured XML Parser:\r\nAdd a snap-in:\r\nThe attacker chooses the event viewer snap-in:\r\nhttps://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/\r\nPage 8 of 11\n\nThe victim selects ‘Action’ and then clicks on the ‘Import Custom View’ option:\r\nThe victim selects the malicious XML sent by the attacker\r\nhttps://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/\r\nPage 9 of 11\n\nThe malicious XML containing the XXE payload will read the c:\\windows\\win.ini file content and send it to the\r\nremote server via HTTP/GET request:\r\nWhich in turn will call to xml.dtd:\r\nThe desired file content is sent from the client console application to a remote server:\r\nhttps://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/\r\nPage 10 of 11\n\nSource: https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/\r\nhttps://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/\r\nPage 11 of 11\n\n  https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/  \nThe attacker then types the path to his server containing the malicious payload:\nThe attacker saves the .msc file and sends it to the victim: \n   Page 3 of 11\n\n https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/  \nThe malicious .msc file contains the path to the attacker’s server:\nAs the victim opens the malicious .msc file VBS code is executed:\n   Page 4 of 11\n\n https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/  \nThe malicious .msc file containing the path to the attacker’s server:\nAs the victim opens the malicious .msc file VBS code is executed:\n   Page 7 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/"
	],
	"report_names": [
		"microsoft-management-console-mmc-vulnerabilities"
	],
	"threat_actors": [],
	"ts_created_at": 1775434378,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0909fb00ab5590c1912ad435cf45143870545ec.pdf",
		"text": "https://archive.orkl.eu/a0909fb00ab5590c1912ad435cf45143870545ec.txt",
		"img": "https://archive.orkl.eu/a0909fb00ab5590c1912ad435cf45143870545ec.jpg"
	}
}