Microsoft Patches Zero-Day Privilege Escalation Flaw in Defender Antimalware Platform
On April 14, 2026, Microsoft released security updates to address a newly disclosed zero-day vulnerability (CVE-2026-33825) in its Defender Antimalware Platform. The flaw, rated "Important," enables attackers with local access to escalate privileges to SYSTEM-level permissions, granting full control over affected Windows machines.
The vulnerability stems from insufficient access-control granularity (CWE-1220) in Defender’s user-mode binaries (e.g., MsMpEng.exe) and kernel-mode drivers. Exploitation requires only low privileges and no user interaction, making it a high-risk threat. Once exploited, attackers could disable security tools, deploy persistent malware, exfiltrate sensitive data, or create administrative accounts.
Key Details:
- CVSS Score: 7.8 (High)
- Attack Vector: Local (attacker must already have access)
- Complexity: Low (easy to exploit)
- Affected Versions: Platform versions up to 4.18.26020.6
- Patch Version: 4.18.26030.3011
Security researchers Zen Dodd and Yuanpei Xu reported the flaw, which Microsoft confirms has not been exploited in the wild though exploitation is deemed "More Likely" as threat actors develop exploit code. Notably, vulnerability scanners may flag systems with disabled Defender as vulnerable, though Microsoft clarifies these are not exploitable unless Defender is active.
The patch is automatically deployed in most environments, but organizations should verify updates via Windows Security > Virus & threat protection > Protection Updates or check the Antimalware Client Version in settings. Administrators are advised to audit software distribution tools to ensure compliance across networks.
Source: https://cybersecuritynews.com/microsoft-defender-0-day-vulnerability/
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1776249547",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "4/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Users of Windows machines with '
'Defender Antimalware Platform '
'(versions up to 4.18.26020.6)',
'industry': 'Software',
'location': 'Global',
'name': 'Microsoft',
'size': 'Large',
'type': 'Technology Company'}],
'attack_vector': 'Local',
'customer_advisories': 'Users advised to check for updates via Windows '
'Security or Antimalware Client Version.',
'data_breach': {'data_exfiltration': 'Possible',
'sensitivity_of_data': 'High (SYSTEM-level access)',
'type_of_data_compromised': 'Sensitive data (potential '
'exfiltration)'},
'date_publicly_disclosed': '2026-04-14',
'date_resolved': '2026-04-14',
'description': 'On April 14, 2026, Microsoft released security updates to '
'address a newly disclosed zero-day vulnerability '
'(CVE-2026-33825) in its Defender Antimalware Platform. The '
'flaw enables attackers with local access to escalate '
'privileges to SYSTEM-level permissions, granting full control '
'over affected Windows machines. The vulnerability stems from '
'insufficient access-control granularity (CWE-1220) in '
'Defender’s user-mode binaries and kernel-mode drivers. '
'Exploitation requires only low privileges and no user '
'interaction, allowing attackers to disable security tools, '
'deploy persistent malware, exfiltrate sensitive data, or '
'create administrative accounts.',
'impact': {'data_compromised': 'Sensitive data exfiltration possible',
'operational_impact': 'Disabling of security tools, deployment of '
'persistent malware, creation of '
'administrative accounts',
'systems_affected': 'Windows machines with Defender Antimalware '
'Platform (versions up to 4.18.26020.6)'},
'investigation_status': 'Patched',
'post_incident_analysis': {'corrective_actions': 'Patch released (version '
'4.18.26030.3011); automatic '
'deployment in most '
'environments',
'root_causes': 'Insufficient access-control '
'granularity (CWE-1220) in '
'Defender’s user-mode binaries and '
'kernel-mode drivers'},
'recommendations': 'Verify patch deployment via Windows Security or '
'Antimalware Client Version; audit software distribution '
'tools for compliance; monitor for exploitation attempts.',
'references': [{'source': 'Microsoft Security Update'}],
'response': {'communication_strategy': 'Public disclosure and advisory via '
'Microsoft security updates',
'containment_measures': 'Security updates released (patch '
'version 4.18.26030.3011)',
'remediation_measures': 'Automatic deployment of patches; '
'verification via Windows Security or '
'Antimalware Client Version checks'},
'stakeholder_advisories': 'Administrators advised to verify updates and '
'ensure compliance across networks.',
'title': 'Microsoft Patches Zero-Day Privilege Escalation Flaw in Defender '
'Antimalware Platform',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'CVE-2026-33825 (Insufficient access-control '
'granularity - CWE-1220)'}