On April 22, 2026, CISA added CVE-2026-33825 to the Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability, classified as "Microsoft Defender Insufficient Granularity of Access Control," represents a critical risk to the federal enterprise and private sector networks alike. CISA's addition, based on evidence of active exploitation, signals that malicious cyber actors are already leveraging this flaw to bypass security controls.
For defenders, this advisory is a red alert. When a primary security control like Defender is compromised, the integrity of the entire endpoint detection stack is called into question. This post provides a technical breakdown of the vulnerability, detection strategies to identify potential exploitation attempts, and immediate remediation steps.
Technical Analysis
CVE ID: CVE-2026-33825 Product: Microsoft Defender (Endpoint/Server) Vulnerability Type: Insufficient Granularity of Access Control (CWE-732) Status: Active Exploitation (Confirmed in CISA KEV)
The Vulnerability Mechanism
The "Insufficient Granularity of Access Control" classification indicates that Microsoft Defender performs permission checks on a protected resource (such as configuration files, quarantine directories, or registry hives) at a scope that is too broad. This discrepancy allows an attacker with lower privileges—perhaps a standard user or a process running within a constrained environment—to manipulate Defender's operations.
In the context of active exploitation observed in the wild, this vulnerability is likely being used to:
- Disable Tamper Protection: Modify ACLs on Defender directories to prevent the service from restarting or updating signatures.
- Quarantine Tampering: Access and restore previously quarantined malware.
- Exclusion Injection: Add path or process exclusions to Defender's configuration without triggering administrative alerts, effectively blinding the AV to subsequent payloads.
Risk Assessment
The inclusion in the KEV catalog and BOD 22-01 confirms the severity. Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability by the deadlines mandated by the directive. For private organizations, the risk is identical: adversaries can utilize this flaw to establish persistence and evade detection, turning the organization's primary defensive tool into a liability.
Detection & Response
Given the active exploitation status, SOC teams must immediately hunt for signs of abuse targeting Microsoft Defender's access controls. The following detection logic focuses on identifying unauthorized manipulation of Defender configurations and filesystem permissions.
SIGMA Rules
---
title: Potential Microsoft Defender ACL Modification
description: Detects attempts to modify Access Control Lists (icacls) on Microsoft Defender directories, indicative of CVE-2026-33825 exploitation or Tamper Protection bypass.
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
references:
- https://www.cisa.gov/news-events/alerts/2026/04/22/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2026/04/23
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\icacls.exe'
- '\xcacls.exe'
CommandLine|contains:
- 'ProgramData\\Microsoft\\Windows Defender'
- 'Program Files\\Windows Defender'
condition: selection
falsepositives:
- Legitimate administrator modifying Defender permissions (rare)
level: high
---
title: PowerShell Defender Exclusion Injection
description: Detects the use of PowerShell to add exclusions to Microsoft Defender, a common tactic to bypass AV/EDR after exploiting access control vulnerabilities.
id: b4c5d6e7-8f9a-0b1c-2d3e-4f5a6b7c8d9e
status: experimental
references:
- https://attack.mitre.org/techniques/T1562/001/
author: Security Arsenal
date: 2026/04/23
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection_pow:
Image|endswith: '\powershell.exe'
selection_cmd:
CommandLine|contains:
- 'Add-MpPreference'
- 'Set-MpPreference'
filter_exclusion:
CommandLine|contains:
- '-ExclusionPath'
- '-ExclusionProcess'
condition: all of selection_* and filter_exclusion
falsepositives:
- Authorized administration scripts managing Defender policies
level: medium
---
title: Registry Modification of Defender Features
description: Detects modifications to the Windows Defender registry keys often associated with disabling features or altering behavior.
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
references:
- https://www.cisa.gov/news-events/alerts/2026/04/22/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2026/04/23
tags:
- attack.defense_evasion
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- 'SOFTWARE\\Microsoft\\Windows Defender\\Features'
- 'SOFTWARE\\Microsoft\\Windows Defender\\Policy'
Details|contains:
- '0x00000000'
- 'disable'
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for ACL modifications on Defender directories
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("icacls.exe", "xcacls.exe", "takeown.exe")
| where ProcessCommandLine has_any ("ProgramData\\Microsoft\\Windows Defender", "Program Files\\Windows Defender")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| extend HuntContext = "Potential CVE-2026-33825 Exploitation - ACL Modification"
// Hunt for PowerShell exclusion additions
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine contains "Set-MpPreference" and (ProcessCommandLine contains "-ExclusionPath" or ProcessCommandLine contains "-ExclusionProcess")
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| extend HuntContext = "Potential CVE-2026-33825 Exploitation - Exclusion Injection"
Velociraptor VQL
-- Hunt for process execution attempting to modify Defender permissions
SELECT Pid, Name, CommandLine, Exe, Username, StartTime
FROM pslist()
WHERE Name =~ 'icacls.exe'
AND CommandLine =~ 'Windows Defender'
-- Check for unusual ACL modifications on Defender Platform folder
SELECT FullPath, Mode, Size, Mtime
FROM glob(globs='/*
OR CommandLine =~ 'Program Files\\Windows Defender'
Remediation Script (PowerShell)
<#
.SYNOPSIS
Remediation Script for CVE-2026-33825
.DESCRIPTION
Checks for Microsoft Defender updates, verifies Tamper Protection status,
and audits the ACLs of critical Defender directories.
#>
Write-Host "Starting CVE-2026-33825 Remediation Checks..." -ForegroundColor Cyan
# 1. Check Microsoft Defender Version and Update Status
Write-Host "\n[+] Checking Defender Engine Version..." -ForegroundColor Yellow
$MpPreference = Get-MpPreference
Write-Host "Current Engine Version: $($MpPreference.EngineVersion)"
# Note: Ensure the specific patch for CVE-2026-33825 is installed via Windows Update.
# As this is a recent CVE, ensure 'Microsoft Update' catalog is checked.
Write-Host "Action: Verify Windows Update (KB specific to CVE-2026-33825) is installed immediately." -ForegroundColor Red
# 2. Verify Tamper Protection is Enabled
Write-Host "\n[+] Checking Tamper Protection Status..." -ForegroundColor Yellow
# Tamper Protection registry key (introduced in newer Win10/11 builds)
$TamperPath = "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features"
$TamperValue = (Get-ItemProperty -Path $TamperPath -ErrorAction SilentlyContinue).TamperProtection
if ($TamperValue -eq 5) { # 5 usually means Enabled/On
Write-Host "Tamper Protection: ENABLED (Secure)" -ForegroundColor Green
} else {
Write-Host "Tamper Protection: DISABLED or NOT SET (VULNERABLE)" -ForegroundColor Red
Write-Host "Action: Enable Tamper Protection via Intune or Group Policy immediately."
}
# 3. Audit ACLs on Defender Directory (Detect Granularity Issues)
Write-Host "\n[+] Auditing Access Control Lists on Defender Platform Directory..." -ForegroundColor Yellow
$DefenderPath = "$env:ProgramData\Microsoft\Windows Defender\Platform"
if (Test-Path $DefenderPath) {
$Acl = Get-Acl $DefenderPath
Write-Host "Owner: $($Acl.Owner)"
Write-Host "Checking for non-standard write permissions..."
$Acl.Access | Where-Object { $_.FileSystemRights -match "Write|Modify|FullControl" -and $_.IdentityReference -notmatch "SYSTEM|Administrators|TrustedInstaller" } | Select-Object IdentityReference, FileSystemRights | Format-Table
Write-Host "Action: If non-admin users/groups have Write/Modify permissions, revert to defaults immediately."
} else {
Write-Host "Defender Platform path not found."
}
Write-Host "\nRemediation Script Complete." -ForegroundColor Cyan
Remediation
To address CVE-2026-33825 and comply with CISA BOD 22-01, organizations must take the following specific actions:
- Patch Immediately: Apply the latest security update from Microsoft addressing CVE-2026-33825. This will be included in the Monthly Rollup or a dedicated out-of-band security update. Verify the installation via
Get-Hotfixor Windows Update history. - Enable Tamper Protection: Ensure "Tamper Protection" is strictly enforced across all endpoints. This prevents unauthorized applications (and potentially adversaries exploiting this CVE) from altering Defender settings.
- Review Local Administrators: Conduct an audit of the local administrators group on critical assets. Reducing the number of accounts with high privileges limits the attack surface for access control abuse.
- CISA Deadline: Federal agencies must remediate this vulnerability by the deadline specified in the KEV catalog entry to comply with BOD 22-01.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.