CVE-2026-33825 – Microsoft Defender Elevation of Privilege Vulnerability

CVSS 7.8 IMPORTANT

“This flaw turns limited access into total control—what starts as a foothold can quickly become full system domination.”

This vulnerability in Microsoft Defender stems from insufficient granularity in access control, allowing an attacker with limited local privileges to escalate to SYSTEM-level access. By exploiting weaknesses in how permissions are enforced, an attacker can bypass intended restrictions and gain full control over the affected system. While it requires initial access, the impact is severe due to the level of privileges that can be obtained.

CVSS Score: 7.8
SEVERITY: Important
THREAT: Elevation of Privilege

EXPLOITS:
Proof-of-concept (PoC) exploit code is available, and the vulnerability has been publicly disclosed. While no active exploitation has been confirmed, the presence of PoC code increases the likelihood of real-world attacks.

TECHNICAL SUMMARY:
This vulnerability is classified under CWE-1220, indicating insufficient granularity of access control within Microsoft Defender. The flaw allows a local attacker with low privileges to exploit improper permission enforcement mechanisms. By leveraging this weakness, the attacker can execute code or actions with elevated privileges, ultimately achieving SYSTEM-level access. This type of vulnerability is particularly dangerous because it can be chained with other exploits to expand initial access into full system compromise.

EXPLOITABILITY:
Affects Microsoft Defender Antimalware Platform versions prior to 4.18.26050.3011 (last vulnerable version: 4.18.26020.6).
Exploitation requires local access with low privileges and no user interaction.

BUSINESS IMPACT:
This vulnerability significantly increases risk in environments where attackers have already gained a foothold. Once exploited, it allows full control over endpoints, enabling data exfiltration, disabling of security tools, and lateral movement across networks. Even environments with strong perimeter defenses are at risk if internal systems are compromised.

WORKAROUND:
Ensure Microsoft Defender updates are enabled and automatically applied.
Regularly verify that antimalware platform and signature updates are current.

Key Details

Affected Product
Microsoft Defender Antimalware Platform
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
CWE Classification
CWE-1220
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.