criticalCISA KEVCVE-2026-33825

Microsoft Defender Insufficient Granularity of Access Control Vulnerability

Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.

ProductDefender
CVSS7.8
EPSS0.06749
UpdatedJuly 9, 2026

Quick answer

Microsoft Defender should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Review vendor advisory for affected versions.

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

Treat CVE-2026-33825 as an actively exploited Microsoft Defender local privilege escalation risk. The local record and CISA KEV identify insufficient access-control granularity in Microsoft Defender, so affected endpoints should receive the Microsoft Security Update Guide fix through Defender platform, engine, security intelligence, or Windows cumulative update channels as applicable. Prioritize endpoints with privileged users, servers, and systems that recently handled malware alerts. If Defender tampering or privilege escalation is suspected, investigate endpoint integrity before relying on the host.

  1. Inventory Microsoft Defender deployments across Windows clients, servers, Microsoft Defender for Endpoint-managed systems, and security management platforms.
  2. Check each endpoint against the Microsoft Security Update Guide entry for CVE-2026-33825 and its Defender platform, engine, security intelligence, and OS update levels.
  3. Deploy the applicable Microsoft Defender and Windows security updates through Microsoft Update, Intune, Defender for Endpoint, WSUS, SCCM, or the approved management workflow.
  4. Prioritize administrator workstations, servers, domain controllers, RDP hosts, and endpoints with recent malware or tampering alerts.
  5. Ensure Defender tamper protection, cloud-delivered protection, and security intelligence updates are enabled where supported.
  6. Review Defender, Windows event, and EDR telemetry for tampering, privilege escalation, service manipulation, exclusions, or unexpected policy changes.
  7. Rotate credentials and investigate lateral movement if exploitation or Defender bypass activity is suspected.
  8. Isolate or rebuild endpoints where Defender integrity cannot be trusted after remediation.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm each endpoint reports Defender platform, engine, security intelligence, and Windows update levels that include the CVE-2026-33825 fix or later.
  • Confirm Microsoft Defender for Endpoint, Intune, WSUS, SCCM, or vulnerability management no longer flags CVE-2026-33825.
  • Confirm Defender tamper protection and expected protection settings remain enabled after patching.
  • Review post-remediation telemetry for continued privilege escalation or Defender tampering attempts.
  • Run a Fixnx scan against public Windows-hosted services to verify external exposure is understood.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-33825?

Microsoft Defender should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.