CVE-2026-33825
Confirmed PUBLISHEDMicrosoft Defender Elevation of Privilege Vulnerability
1 day faster than CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.
- CVE Published
- Apr 14, 2026
- Exploitation Reported
- Jun 01, 2026
- CVSS
- 7.8 High
- EPSS
- 6.7%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| Microsoft |
Microsoft Defender Antimalware Platform
|
4.0.0.0 to < 4.18.26030.3011 |
Affected |
CVE References
- Microsoft Defender Elevation of Privilege Vulnerability msrc.microsoft.com · Vendor Advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CVE First | 2026-06-01 13:22 UTC |
| CISA | 2026-06-02 14:01 UTC |
| Tenable Blog | 2026-06-09 19:21 UTC |
No detection artifacts or sensor request patterns are available for this CVE yet.
Check back as sensor telemetry and scanner integrations are updated.
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Exploitation Status
Exploited in the wild
Recorded 2026-06-01 13:22:36 UTC · CVE
Proof of concept available
Recorded 2026-05-18 16:28:47 UTC · GitHub
Weaknesses (CWE)
-
Insufficient Granularity of Access Control
Recent Mentions
Rapid7 · Jun 09, 2026
Microsoft is publishing 200 vulnerabilities on June 2026 Patch Tuesday. Microsoft is not aware of exploitation in the wild for any of these vulnerabilities, and is aware of public disclosure for three. This is similar to last month’s Patch Tuesday, however several of last month’s vulnerabilities ended up on CISA KEV in the days following their publication. So far this month, Microsoft has provided patches to address 360 browser vulnerabilities, which is an order of magnitude more than has been typical in any given month over the past few years. As usual, browser vulns are not included in the Patch Tuesday count above. Indeed, the vast, and presumably sustained, uptick in the number of browser vulnerabilities has led to Microsoft no longer enumerating Chromium CVEs in the Security Update Guide. Other vulnerability categories, especially Linux kernel vulnerabilities, are seeing a similar increase in AI-assisted vulnerability reports.What's the opposite of coordinated disclosure?In recent weeks, an independent vulnerability researcher going by the pseudonym Nightmare Eclipse has attracted significant attention by publishing details of six Microsoft vulnerabilities, including elevation of privilege vulnerabilities in Defender, and a Secure Boot disk encryption bypass. The researcher provided full proof-of-concept code for some, and provided significant-but-incomplete detail around the path to exploitation for others. Microsoft has confirmed that these disclosures were not coordinated, and it is clear that the relationship between this researcher and Microsoft is less than cordial. Two of the disclosures emerged in the hours after last month’s Patch Tuesday, which provides maximum visibility, while limiting Microsoft’s ability to respond without out-of-cycle patches.At time of writing, Microsoft has provided mitigation advice and patches for CVE-2026-33825, CVE-2026-45585, CVE-2026-45498, and CVE-2026-41091, leaving only two elevation of privilege vulnerabilities...
Tenable Blog · Jun 09, 2026
32Critical166Important0Moderate0LowMicrosoft addresses 198 CVEs in the largest Patch Tuesday release, including three zero-days.Microsoft patched 198 CVEs in its June 2026 Patch Tuesday release, with 32 rated critical and 166 rated as important. Our counts omitted 6 CVEs that were already addressed by Microsoft via servicing and do not require additional customer action to resolve as well as 2 CVEs that were disclosed by other CNAs (CVE-2025-10263 and CVE-2026-8863). This Patch Tuesday release is the largest release since the Patch Tuesday program began, smashing the previous record of 167 CVEs in the October 2025 Patch Tuesday release.This month’s update includes patches for:.NETASP.NET CoreActive Directory Domain ServicesAzure HorizonDBAzure Stack EdgeCopilot Chat (Microsoft Edge)Function Discovery Service (fdwsd.dll)GitHub Copilot and Visual Studio CodeHTTP/2Linux MANA DriverM365 CopilotMicrosoft Azure Attestation service and Device Health Attestation ServiceMicrosoft Azure Kubernetes ServiceMicrosoft BingMicrosoft CopilotMicrosoft Defender for EndpointMicrosoft Dynamics 365 (on-premises)Microsoft Exchange OnlineMicrosoft Exchange ServerMicrosoft GraphMicrosoft Graphics ComponentMicrosoft KinectMicrosoft Live Share Canvas SDKMicrosoft OfficeMicrosoft Office Click-To-RunMicrosoft Office ExcelMicrosoft Office ProjectMicrosoft Office SharePointMicrosoft Office WordMicrosoft PC ManagerMicrosoft PowerToysMicrosoft Teams for AndroidMicrosoft UxTheme Library (uxtheme.dll)Microsoft Windows DNSNuance PowerScribeOffice for AndroidRemote Desktop ClientRole: Windows Hyper-VUI Automation Manager (uiamanager.dll)Universal Plug and Play (upnp.dll)Visual Studio CodeWindows Administrator ProtectionWindows Ancillary Function Driver for WinSockWindows Application Identity (AppID) SubsystemWindows BitLockerWindows Bluetooth Port DriverWindows Bluetooth ServiceWindows Boot ManagerWindows Collaborative Translation FrameworkWindows Common Log File System DriverWindows Cryptographic...
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
19:21 UTC about 1 month ago19:21 UTC · about 1 month ago
KEV confirmed by Tenable Blog
Exploitation attested by an external source
-
14:01 UTC about 1 month ago14:01 UTC · about 1 month ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
13:22 UTC about 2 months ago13:22 UTC · about 2 months ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
16:28 UTC about 2 months ago16:28 UTC · about 2 months ago
Public PoC available
Public proof-of-concept code published
-
16:57 UTC 3 months ago16:57 UTC · 3 months ago
CVE published
Vulnerability disclosed publicly
-
00:52 UTC 4 months ago00:52 UTC · 4 months ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2026-33825
{
"cve_id": "CVE-2026-33825",
"title": "Microsoft Defender Elevation of Privilege Vulnerability",
"affected_vendor": "Microsoft",
"affected_product": "Microsoft Defender Antimalware Platform",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 7.8,
"epss_score": 0.06749,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}