CVE-2026-33825: Microsoft Defender Insufficient Granularity of Access Control Vulnerability

CVE ID

CVE-2026-33825

Vulnerability Name

Microsoft Defender Insufficient Granularity of Access Control Vulnerability

• Project: Microsoft
• Product: Defender

Date

• Date Added: 2026-04-22
• Due Date: 2026-05-06

Description

Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional Notes

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825 ; https://nvd.nist.gov/vuln/detail/CVE-2026-33825

Related Security News

• Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
• Microsoft Defender vulnerabilities exploited in the wild (CVE-2026-41091, CVE-2026-45498)
• Microsoft shares mitigation for YellowKey Windows zero-day
• New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released
• Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
• Windows BitLocker zero-day gives access to protected drives, PoC released
• CISA orders feds to patch BlueHammer flaw exploited as zero-day

More CVEs Info

Common Vulnerabilities & Exposures (CVE) List