cbcvebase.
CVE-2026-33825
published 2026-04-14

CVE-2026-33825: Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

PriorityP188high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2026-05-06
Exploited in the wild
EPSS
6.75%
93.2th percentile
Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftdefender_antimalware_platform< 4.18.26030.30114.18.26030.3011
microsoftmicrosoft_defender_antimalware_platform>= 4.0.0.0 < 4.18.26030.30114.18.26030.3011

Detection & IOCsextracted from sources · hover to see the quote

processTieringEngineService.exe
pathC:\Windows\system32\TieringEngineService.exe
  • The BlueHammer (CVE-2026-33825) exploit was publicly released by researcher 'Chaotic Eclipse' (GitHub account 'MSNightmare'); monitor for PoC exploit execution targeting Microsoft Defender for local privilege escalation.
  • Suspicious FortiGate SSL VPN access from a Russia-geolocated source IP was observed tied to environments where CVE-2026-33825 was exploited; correlate VPN anomalies with Defender LPE exploitation.
  • The RedSun exploit (related Defender zero-day) abuses the Cloud Files API, uses an oplock to win a volume shadow copy race, and uses a directory junction/reparse point to overwrite C:\Windows\system32\TieringEngineService.exe; monitor for unexpected writes to that path and oplock/junction abuse.
  • Check Point IPS signature available for the related Apache ActiveMQ flaw exploited in the same threat wave; ensure IPS coverage is current for the broader campaign context.
  • ·FCEB agencies were ordered to patch CVE-2026-33825 by May 7 per CISA KEV directive; the two-week remediation window has operational implications for patch prioritization.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.