ThreatLevelBeta
Planned Fix

CVE-2026-33825

Local Privilege Escalation in Microsoft Defender Antimalware Platform
Loading...

Summary

Microsoft Defender Antimalware Platform has a local elevation-of-privilege flaw in its signature and update workflow. A low-privilege local attacker can abuse a race or TOCTOU condition to steer privileged Defender file handling toward attacker-influenced paths and expose sensitive system data. Successful exploitation can raise the attacker to SYSTEM and fully compromise the endpoint.

Why Planned Fix?

5/6
Domain user required (treated as pre-auth on internal network)
Internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
LPE (Local Privilege Escalation)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
domain user
PoC / Exploit
Yes
github.comgithub.com
Impact

Gain SYSTEM-level privileges on the local machine

Full System Compromise
Exploitation Requirements
  • Authentication required (domain user)
Exploitation Process

The attacker starts from a standard local user account on a Windows endpoint with Defender enabled. They trigger Defender scanning or update activity with a crafted file, then use timing tricks such as locks, oplocks, or a fake cloud-sync provider to freeze Defender at a predictable step. During Defender's update or restore workflow, they swap the target path or staged content so the privileged process reads or restores attacker-chosen data from a protected location, then use the resulting handle or file state to extract sensitive material or execute actions as SYSTEM.

Detection Resources
Manual Detection
huntress.com
1
Script Detection
0
Scanner Detection
Tenable NessusRapid7 InsightVM
2

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Defender Antimalware Platform< 4.18.26030.3011
Description

Microsoft Defender Antimalware Platform is the built-in Windows antivirus and antimalware engine that scans files, applies signatures, and enforces endpoint protection on Windows devices.

Deployment:Typically internal
|
Protocol:Local
|
Ports:
Affected ComponentDefender antimalware platform signature/update workflow and local access-control checks.

Defender antimalware platform signature/update workflow and local access-control checks.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Upgrade Microsoft Defender Antimalware Platform to version 4.18.26030.3011 or later through Microsoft security updates and platform updates.

Upgrade Microsoft Defender Antimalware Platform to version 4.18.26030.3011 or later through Microsoft security updates and platform updates.

msrc.microsoft.com
Threat Intelligence
EPSS Score6.4%

Probability of exploitation in the next 30 days

EPSS Percentile91%

Worse than 91% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
huntress.com
Threat Actors

No known threat actors

Detection Rules4
Other
User-writable execution of FunnyApp.exe, RedSun.exe, undef.exe, or z.exe
Other
Recon commands: whoami /priv, cmdkey /list, or net group near BlueHammer activity
Other
Defender alert Exploit:Win32/DfndrPEBluHmr.BZ
Yara
MZ binaries with BeigeBurrow strings: connection failed: %v, retrying in 5m; failed to dial %s: %v; failed to read target: %v

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-1220 Insufficient Granularity of Access Control
|
NVD:CVE-2026-33825
|
Version From:
|
Version Upto:4.18.26030.3011

Affected Software (CPE) (1)

  • cpe:2.3:a:microsoft:defender_antimalware_platform:*:*:*:*:*:*:*:*

Sources

8
SourceArticle
msrc.microsoft.comSecurity Update Guide - CVE-2026-33825
nvd.nist.govCVE-2026-33825 Detail
www.cisa.govKnown Exploited Vulnerabilities Catalog
www.huntress.comNightmare-Eclipse Tooling Seen in Real-World Intrusion
www.tenable.comCVE-2026-33825
www.rapid7.comPatch Tuesday - April 2026
github.comNightmare-Eclipse/BlueHammer
github.comNightmare-Eclipse/RedSun

Priority History

Planned FixLoading...

Initial analysis

Fix SoonLoading...

Elevated — new exploitation evidence confirmed