Insufficient granularity of access control in Microsoft Defender

CVE-2026-33825 is a local privilege escalation in the Microsoft Defender Antimalware Platform. Microsoft and NVD show affected versions as Defender platform builds before 4.18.26030.3011, with the fix released on 2026-04-14. Public reporting and Huntress analysis tie this to the BlueHammer exploit chain, which abuses Defender’s own scan/update workflow to read sensitive files and pivot from a low-privileged local user into SYSTEM.

Microsoft’s HIGH 7.8 label is directionally right, but the raw CVSS still overstates reachability and understates urgency. In practice this is not remote initial access; it requires local code execution as a normal user and a fairly delicate race-condition chain. But it is also KEV-listed, publicly weaponized, and confirmed in real intrusions, so it stays firmly in HIGH rather than dropping into routine local-privesc backlog.

Why this verdict

• Started from Microsoft’s 7.8 HIGH baseline because the end state is full local compromise of the host, including potential SYSTEM-level execution.
• Upward pressure: KEV + public exploit + real intrusion reporting add urgency that plain CVSS misses; this is not hypothetical lab-only privesc research anymore.
• Downward pressure: requires local code execution first. That implies the attacker is already on the box, which compounds downward pressure because the reachable population is limited to machines where another control already failed.
• Downward pressure: no internet-facing attack surface. NGFW, WAF, and perimeter scanners are irrelevant because there is no direct remote edge path into the bug.
• Slight upward pressure: huge installed base. Defender is common enough that once an attacker has a foothold, the exploit economics are good and operationalization cost is low.

Why not higher?

This does not justify CRITICAL because it is neither unauthenticated remote code execution nor wormable network exposure. The attacker must already be on the host with local execution, then land a somewhat finicky exploit chain to convert that foothold into SYSTEM.

Why not lower?

This does not fall to MEDIUM because the exploitation signal is too strong. KEV inclusion, public PoC, and Huntress reporting of in-the-wild activity mean defenders should treat it as a live post-compromise privilege-escalation primitive, not ordinary patch debt.

1. Verify Defender platform version fleet-wide — Enumerate AMProductVersion or the installed Defender platform directory across all Windows endpoints and isolate anything below 4.18.26030.3011. Because this CVE is KEV-listed and actively exploited, do this immediately, within hours, not during the next routine inventory cycle.
2. Force the Defender platform update — Do not assume auto-update worked everywhere; explicitly trigger/update/check the Defender antimalware platform release tied to KB4052623 / 4.18.26030.3011 on lagging systems. With KEV status, apply this immediately, within hours.
3. Tighten low-privilege execution paths on high-risk tiers — Use WDAC/AppLocker, script control, and user-writable path execution restrictions to make the initial low-priv local foothold harder to land or reuse on admin workstations, jump boxes, and servers. Treat this as compensating control to deploy immediately, within hours where patch verification is incomplete.
4. Hunt for BlueHammer tradecraft — Add detections for suspicious Cloud Files sync provider registration, Defender-driven VSS activity, junction/reparse abuse, SAM/VSS access anomalies, and abnormal password reset/token-duplication sequences. Stand this up immediately, within hours because exploitation is already public.
5. Reduce privileged credential residue — Limit cached admin usage on workstations, enforce admin separation, and keep privileged accounts off lower-trust endpoints so a local privesc yields less reusable authority. This is not the primary fix, but it reduces blast radius and should be prioritized immediately, within hours on crown-jewel tiers.

Run this on the target Windows host or remotely over WinRM/PowerShell Remoting with a user that can query Defender status; local admin is preferred for consistency. Save it as check-CVE-2026-33825.ps1 and run: powershell.exe -ExecutionPolicy Bypass -File .\check-CVE-2026-33825.ps1 -MinVersion 4.18.26030.3011.

# check-CVE-2026-33825.ps1

# Purpose: Determine whether the local Microsoft Defender Antimalware Platform

#          is vulnerable to CVE-2026-33825 based on platform version.

# Output : VULNERABLE / PATCHED / UNKNOWN

# Exit   : 1 = vulnerable, 0 = patched, 2 = unknown/error


[CmdletBinding()]
param(
    [Parameter(Mandatory = $false)]
    [string]$MinVersion = '4.18.26030.3011'
)

function Get-PlatformVersion {
    # First try the supported Defender cmdlet.

    try {
        Import-Module Defender -ErrorAction SilentlyContinue | Out-Null
        $status = Get-MpComputerStatus -ErrorAction Stop
        if ($status -and $status.AMProductVersion) {
            return [string]$status.AMProductVersion
        }
    }
    catch {
        # Fall through to filesystem-based detection.

    }

    # Fallback: inspect installed platform directories.

    try {
        $base = Join-Path $env:ProgramData 'Microsoft\Windows Defender\Platform'
        if (Test-Path -LiteralPath $base) {
            $dirs = Get-ChildItem -LiteralPath $base -Directory -ErrorAction Stop |
                Where-Object { $_.Name -match '^\d+\.\d+\.\d+\.\d+$' } |
                Sort-Object { [version]$_.Name } -Descending

            if ($dirs -and $dirs.Count -gt 0) {
                return [string]$dirs[0].Name
            }
        }
    }
    catch {
        # Ignore and return null below.

    }

    return $null
}

try {
    $installed = Get-PlatformVersion

    if (-not $installed) {
        Write-Output 'UNKNOWN - unable to determine Microsoft Defender platform version'
        exit 2
    }

    try {
        $installedVer = [version]$installed
        $fixedVer = [version]$MinVersion
    }
    catch {
        Write-Output ("UNKNOWN - version parsing failed (installed='{0}', fixed='{1}')" -f $installed, $MinVersion)
        exit 2
    }

    if ($installedVer -lt $fixedVer) {
        Write-Output ("VULNERABLE - Microsoft Defender platform {0} is older than fixed version {1}" -f $installed, $MinVersion)
        exit 1
    }
    else {
        Write-Output ("PATCHED - Microsoft Defender platform {0} is at or above fixed version {1}" -f $installed, $MinVersion)
        exit 0
    }
}
catch {
    Write-Output ("UNKNOWN - unexpected error: {0}" -f $_.Exception.Message)
    exit 2
}

Sources

1. NVD CVE-2026-33825
2. Microsoft Security Update Guide advisory
3. Microsoft Defender release notes
4. Microsoft Update Catalog KB4052623
5. CISA Known Exploited Vulnerabilities Catalog
6. Huntress BlueHammer intrusion analysis
7. FIRST EPSS project
8. BleepingComputer coverage of KEV addition and public PoC