CVE-2026-33825
Published: 14 April 2026
Summary
CVE-2026-33825 is a high-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability in Microsoft Defender Antimalware Platform. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 6.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-33825 is an insufficient-granularity access-control flaw in Microsoft Defender that permits local privilege escalation. The vulnerability carries a CVSS 3.1 base score of 7.8 and is tracked under CWE-1220; it affects the Microsoft Defender component running on supported Windows platforms.
An attacker who already possesses a local, low-privileged account can exploit the weakness without user interaction to obtain higher privileges on the affected system. The attack vector is strictly local (AV:L) and requires only low attack complexity once code execution is achieved under the initial account.
Microsoft’s advisory at msrc.microsoft.com details the affected builds and supplies the corresponding security update; CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active in-the-wild use. The Huntress report “Nightmare Eclipse Intrusion” further documents observed post-exploitation activity tied to this issue.
EPSS for the vulnerability rose from a low baseline to a peak of 0.1376 nine days after disclosure on 14 April 2026 before receding to its current value of 0.0789, indicating a transient but measurable increase in exploitation interest following public release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22643
Vulnerability details
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.
- CWE(s)
- KEV Date Added
- See CISA KEV catalog
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-33825 is an access control vulnerability in Microsoft Defender enabling local privilege escalation from low privileges, directly facilitating T1068: Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces granular access decisions in Microsoft Defender to block the unauthorized privilege escalation path.
Requires that Microsoft Defender processes operate with only the privileges needed, eliminating the excess rights the flaw exposes.
Ensures access-control decisions for Defender components are made with sufficient granularity rather than coarse local-account checks.