Microsoft Defender local privilege escalation exploited in the wild (CVE-2026-33825) [PoC]
CVE-2026-33825
Actively exploited Microsoft Defender for Endpoint flaw CVE-2026-33825 lets low-privileged users escalate to SYSTEM. Patch now via Windows Update-update Windows Defender Antimalware Platform.
Actively exploited in the wild - CVE-2026-33825 is a high privilege escalation vulnerability in Microsoft Defender Antimalware Platform that lets a local, low-privileged attacker gain SYSTEM-level control over the compromised Windows system. Apply the latest Windows security updates immediately.
Overview
A high-severity vulnerability in Microsoft Defender for Endpoint allows a local, low-privileged attacker to gain elevated system privileges. Tracked as CVE-2026-33825, this flaw stems from insufficient granularity in the security product’s access controls. The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed this vulnerability is being actively exploited in the wild, adding significant urgency to remediation efforts.
Vulnerability Details
The vulnerability has a CVSS score of 7.8. Its attack vector is local, meaning an attacker must first have access to execute code on the target system with low privileges. The attack complexity is low and requires no user interaction, making it relatively straightforward to exploit once initial access is achieved. The core issue is that Microsoft Defender does not properly restrict certain actions, enabling an authorized but low-privileged user to bypass intended security boundaries.
Impact
Successful exploitation allows an attacker to escalate their privileges on a compromised Windows system. From a low-privileged account, an attacker could gain SYSTEM-level permissions. This level of access enables complete control over the system, including the ability to install programs, view or change data, create new accounts, and disable security software. This is a powerful technique for attackers to persist within a network and move laterally after an initial breach.
Affected Products and Remediation
This vulnerability affects Microsoft Defender for Endpoint. Microsoft has released security updates to address this flaw.
Action Required: Apply the latest Windows security updates from Microsoft as soon as possible. The fix is distributed through standard Windows Update channels. Organizations should prioritize updating all endpoints, especially those accessible to users or exposed to higher risk. Ensure your update deployment process includes a verification step to confirm patches are applied successfully.
If immediate patching is not possible, standard security best practices apply: restrict local user privileges through the principle of least privilege, employ robust endpoint detection and response (EDR) tools to monitor for suspicious activity, and maintain strong network segmentation to limit the impact of a potential local compromise.
Security Insight
This incident highlights the complex security paradox of defensive software itself becoming an attack vector. Similar to past vulnerabilities in security agents from other vendors, CVE-2026-33825 demonstrates that the high-privileged access required for endpoint protection creates a high-value target for attackers. It underscores the necessity for defense-in-depth, where no single security product is implicitly trusted, and continuous validation of security controls is essential. For more on current exploitation trends, see our analysis of APT28’s recent DNS hijacking campaigns.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| Letlaka/redsun-bluehammer-undefend-detection-pack Microsoft Defender XDR KQL detections for RedSun, BlueHammer, UnDefend, and CVE-2026-33825-related Defender abuse behaviors. | ★ 4 |
| Bilal3755/Detecting_blue_hammer_vuln Threat hunting query for bluehammer CVE windows CVE-2026-33825 | ★ 0 |
| Joe1sn/CVE-2026-33825 RedSun PoC for self use | ★ 0 |
Showing 3 of 3 known references. Source: nomi-sec/PoC-in-GitHub.
Related Advisories
Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can s...
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution....
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is ...
Integer overflow in Blink in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)...