CVE-2026-33825 Microsoft Defender Insufficient Granularity of Access Control Vulnerability – Active Exploitation Threatens Endpoint Security
What It Is – A privilege‑escalation flaw in Microsoft Defender’s access‑control logic allows an attacker to bypass granular policy enforcement, potentially gaining broader visibility or control over protected endpoints.
Exploitability – The vulnerability is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. No public PoC is required; threat actors are already leveraging it. CVSS v3.1 is currently rated 8.8 (High).
Affected Products – Microsoft Defender for Endpoint (Windows 10/11, Server 2016‑2022) and any integrated Microsoft security stack that relies on its access‑control module.
TPRM Impact –
- Third‑party SaaS or managed‑service providers that embed Microsoft Defender in their security offering inherit the same exposure.
- Organizations that mandate Microsoft Defender as a contractual security control may face non‑compliance if the flaw remains unpatched.
Recommended Actions –
- Prioritize patching to the latest Microsoft Defender update (released 2026‑04‑15) across all managed endpoints.
- Verify remediation status against CISA BOD 22‑01 deadlines; document compliance for audit trails.
- Review and tighten any custom access‑control policies that could be bypassed by the flaw.
- Incorporate the CVE into your vulnerability‑management scoring model and notify any downstream vendors that rely on your Defender deployment.
Source: CISA Advisory – CVE‑2026‑33825