Cyber Resilience

CVE-2026-33825

HighCISA KEVActive ExploitationEUVD Exploited

Published: 14 April 2026

Published
14 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0675 93.1th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-33825 is a high-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability in Microsoft Defender Antimalware Platform. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 6.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-33825 is an insufficient-granularity access-control flaw in Microsoft Defender that permits local privilege escalation. The vulnerability carries a CVSS 3.1 base score of 7.8 and is tracked under CWE-1220; it affects the Microsoft Defender component running on supported Windows platforms.

An attacker who already possesses a local, low-privileged account can exploit the weakness without user interaction to obtain higher privileges on the affected system. The attack vector is strictly local (AV:L) and requires only low attack complexity once code execution is achieved under the initial account.

Microsoft’s advisory at msrc.microsoft.com details the affected builds and supplies the corresponding security update; CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active in-the-wild use. The Huntress report “Nightmare Eclipse Intrusion” further documents observed post-exploitation activity tied to this issue.

EPSS for the vulnerability rose from a low baseline to a peak of 0.1376 nine days after disclosure on 14 April 2026 before receding to its current value of 0.0789, indicating a transient but measurable increase in exploitation interest following public release.

EU & UK References

Vulnerability details

Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

CWE(s)
KEV Date Added
See CISA KEV catalog

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE-2026-33825 is an access control vulnerability in Microsoft Defender enabling local privilege escalation from low privileges, directly facilitating T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45498Same product: Microsoft Defender Antimalware Platformboth on KEV
CVE-2025-21418Same vendor: Microsoftboth on KEV
CVE-2025-24983Same vendor: Microsoftboth on KEV
CVE-2025-62221Same vendor: Microsoftboth on KEV
CVE-2025-62215Same vendor: Microsoftboth on KEV
CVE-2026-35436Same vendor: Microsoft
CVE-2025-21333Same vendor: Microsoftboth on KEV
CVE-2025-21335Same vendor: Microsoftboth on KEV
CVE-2025-24990Same vendor: Microsoftboth on KEV
CVE-2025-21391Same vendor: Microsoftboth on KEV

Affected Assets

microsoft
defender antimalware platform
≤ 4.18.26030.3011

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces granular access decisions in Microsoft Defender to block the unauthorized privilege escalation path.

prevent

Requires that Microsoft Defender processes operate with only the privileges needed, eliminating the excess rights the flaw exposes.

prevent

Ensures access-control decisions for Defender components are made with sufficient granularity rather than coarse local-account checks.

References