CVE-2026-33825

HIGH · 7.8 KEV EPSS 6.7%

hype ACTIVE HACK · 92 hack

KEV-listed, confirmed ransomware exploitation, public PoC, vendor patched, CISA tracking.

What: Local privilege escalation in Microsoft Defender (CVSS 7.8) exploited in ransomware campaigns after zero-day use and public PoC release.

Why it matters: KEV-listed as of 22 April; confirmed in-the-wild exploitation by ransomware gangs post-patch; public PoC circulating; Microsoft patched 14 April after Huntress disclosure; CISA actively tracking operational abuse.

Where it's seen: Coordinated social chatter across security community (Bluesky, threat intel forums) documenting escalation from zero-day to ransomware weaponization; vendor advisory and KEV inclusion driving urgent awareness; defender triage ongoing.

RISK: CRITICAL — Ransomware-active privilege escalation in widely-deployed endpoint protection product.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/30/2026, 6:36:18 PM

Description

Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

CVSS 3.1 breakdown

Exploitability 1.8 · Impact 5.9

vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack vector: Local
Complexity: Low
Privileges required: Low
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Affected versions

microsoft/defender_antimalware_platform
- < 4.18.26030.3011

Weaknesses

CWE-1220

Vendors

microsoft

Products

defender_antimalware_platform

References

Third-party advisories · 2