CISA added CVE-2026-33825, a local privilege escalation flaw in Microsoft Defender, to the Known Exploited Vulnerabilities catalog on 2026-04-22, confirming active exploitation in the wild.
What Is It
CVE-2026-33825 is an insufficient granularity of access control vulnerability (CWE-1220) in Microsoft Defender. According to Microsoft and NVD, the flaw allows an authorized attacker to elevate privileges locally on an affected host. The CVSS 3.1 base score is 7.8 (HIGH), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, local attack vector, low complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.
Why It Matters
CISA's inclusion of this CVE in the KEV catalog on 2026-04-22 confirms it is being actively exploited. The KEV entry lists known ransomware campaign use as "Unknown," but the bug's profile, abuse of a security product already running with high privileges to escalate further, makes it attractive as a post-compromise step. Once an attacker has a foothold with any authenticated session, this flaw provides a path to full host control without user interaction.
What's Vulnerable
Per the NVD CPE data, the affected product is the Microsoft Defender Antimalware Platform (cpe:2.3:a:microsoft:defender_antimalware_platform) in versions prior to 4.18.26030.3011. Exploitation requires local access and low privileges on the target system.
Patch Status
Microsoft has published guidance and a fix via the MSRC advisory. The Antimalware Platform version 4.18.26030.3011 and later are not vulnerable per the NVD configuration data; updates to the platform are typically delivered automatically through Defender's platform update channel.
CISA's required action: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." Federal civilian agencies were required to remediate by 2026-05-06.