Skip to content
.ca
sign in
2 minhigh

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added CVE-2026-33825, an insufficient granularity of access control vulnerability in Microsoft Defender, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation in the wild.

Sens:ImmediateConf:highAnalyzed:2026-04-23reports

Authors: CISA

CVE-2026-33825CISAMicrosoft DefenderKEV

Source:CISA

Key Takeaways

  • CISA added CVE-2026-33825 to the Known Exploited Vulnerabilities (KEV) Catalog.
  • The vulnerability affects Microsoft Defender and involves insufficient granularity of access control.
  • There is evidence of active exploitation of this vulnerability in the wild.
  • Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability per BOD 22-01.

Affected Systems

  • Microsoft Defender

Vulnerabilities (CVEs)

  • CVE-2026-33825

Attack Chain

Threat actors are actively exploiting CVE-2026-33825, an insufficient granularity of access control vulnerability in Microsoft Defender. Specific exploitation chains, payloads, or post-exploitation activities are not detailed in the alert.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No detection rules or logic are provided in the alert.

Detection Engineering Assessment

EDR Visibility: None — The alert provides no specific EDR telemetry, behavioral indicators, or exploit details. Network Visibility: None — No network indicators or traffic patterns are detailed in the alert. Detection Difficulty: Hard — Without specific IOCs or behavioral details of the exploit, detection relies entirely on vulnerability scanning for unpatched versions of Microsoft Defender.

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Monitor for unusual access control modifications, policy changes, or privilege escalation attempts involving Microsoft Defender components.Endpoint (Security Event Logs, EDR)Privilege EscalationMedium

Control Gaps

  • Unpatched Microsoft Defender installations

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Identify and patch all instances of Microsoft Defender vulnerable to CVE-2026-33825 immediately.

Infrastructure Hardening

  • Implement robust vulnerability management practices to prioritize and remediate KEV catalog items.

User Protection

  • N/A

Security Awareness

  • Review CISA BOD 22-01 requirements to ensure compliance for federal agencies and adopt its principles for private sector vulnerability management.

Related