ON 22 April 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑33825 to its Known Exploited Vulnerabilities (KEV) catalogue. The vulnerability affects Microsoft Defender and is officially named Microsoft Defender Insufficient Granularity of Access Control Vulnerability. In one sentence, it is an access‑control weakness that could permit an authorised attacker to gain higher privileges on a local system.
The flaw stems from insufficient validation of permissions within Defender, allowing a user with legitimate access to manipulate security controls and execute code with elevated rights. This local privilege‑escalation vulnerability can be exploited after an attacker obtains initial foothold on the host, without requiring additional privileges. The Common Vulnerability Scoring System assigns it a score of 7.8, rating the severity as HIGH. Microsoft has released a patch, which is available through the MSRC update guide.
Because CISA only includes vulnerabilities that are being actively exploited in the wild, the addition confirms that attackers are already leveraging this flaw. No public reports link the vulnerability to ransomware campaigns at this time. Federal agencies must remediate the issue by the CISA‑specified deadline of 6 May 2026.
CISA’s required action is to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations cannot be implemented. This directive binds Federal Civilian Executive Branch (FCEB) agencies; all other organisations are strongly advised to assess their Defender deployments and apply the available patch or equivalent mitigations promptly.
For full technical details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-33825 and the CISA KEV catalogue at https://www.cisa.gov/known-exploited-vulnerabilities-catalogue.