Microsoft patches Defender zero-day that could give attackers SYSTEM privileges
4 min. read 
Published on
Microsoft has fixed a publicly disclosed zero-day in Microsoft Defender that could let a local attacker raise privileges to SYSTEM, the highest level of access on a Windows machine. The flaw, tracked as CVE-2026-33825, affects the Microsoft Defender Antimalware Platform and carries a CVSS 3.1 score of 7.8.
This is a local privilege escalation bug, not a remote code execution flaw. The published CVSS vector shows low attack complexity, low privileges required, and no user interaction, which means an attacker needs a foothold first but can then move quickly to full SYSTEM rights on a vulnerable device.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Microsoft has not said the flaw was exploited in the wild, but it did mark the issue as publicly disclosed. Rapid7’s Patch Tuesday review says Microsoft was aware of public disclosure before the patch landed, which is why many researchers are treating it as a zero-day in the disclosure sense rather than an actively exploited one.
What the Defender bug does
The vulnerability stems from insufficient granularity of access control in Microsoft Defender. NVD and the CVE record both use that exact description and map it to CWE-1220.
If an attacker successfully exploits the bug, they can jump from a low-privileged local context to SYSTEM. That level of access can let an intruder disable protections, install persistent malware, read sensitive data, and create or modify privileged accounts. Those outcomes follow from standard SYSTEM-level control on Windows, and multiple Patch Tuesday reviews flagged that as the core risk.
The issue matters because it hits Defender itself. When a security product becomes the path to full privilege escalation, attackers can use a modest foothold to turn a protected machine into a fully compromised one.
| Key detail | Status |
|---|---|
| CVE | CVE-2026-33825 |
| Component | Microsoft Defender Antimalware Platform |
| Severity | Important |
| CVSS | 7.8 |
| Attack type | Local privilege escalation |
| Exploitation status | Publicly disclosed, no confirmed in-the-wild exploitation in the sources reviewed |
| Fixed version | Defender platform 4.18.26030.3011 |
Patch details and affected versions
The fix is tied to the Microsoft Defender Antimalware Platform version, not a normal Windows cumulative update alone. Microsoft’s current Defender update page lists platform version 4.18.26030.3011, and Tenable says systems running an earlier Antimalware Platform version are vulnerable to CVE-2026-33825.
That means admins should verify the Defender platform version directly, especially in managed environments where engine and platform updates may lag behind regular Windows patching. Microsoft’s Defender for Endpoint release notes also list platform version 4.18.26030.3011.
Rapid7 says no manual action should be necessary in most cases because Defender platform updates usually install automatically. Even so, large organizations should still confirm deployment through their update tools rather than assume every endpoint pulled the fix.
What defenders should do now
Patch validation comes first. Check whether endpoints run Defender platform version 4.18.26030.3011 or later, then investigate any device that still reports an older platform build.
Security teams should also remember the attack path here. This flaw needs local access or an existing low-privilege foothold, so it pairs naturally with phishing, stolen credentials, malware drops, or another initial compromise. On its own, it does not break into a machine from the internet.
The practical risk is that once an attacker lands on the device, this bug can help them finish the job. That makes it a strong patching priority even without confirmed active exploitation.
Immediate steps
- Check Defender platform versions across all Windows endpoints.
- Update any device below 4.18.26030.3011.
- Prioritize endpoints where users have local access and sensitive data lives.
- Review EDR alerts for attempts to gain SYSTEM privileges after initial access.
- Confirm automatic Defender platform updates still work in your software distribution stack.
FAQ
It was publicly disclosed before Microsoft shipped the fix, which fits the common zero-day disclosure definition. The sources I reviewed do not show confirmed in-the-wild exploitation as of April 17, 2026.
No. The published CVSS vector says the attack requires local access and low privileges.
Successful exploitation can raise access to SYSTEM, which gives near-total control over the affected Windows machine.
Microsoft’s current published Defender platform version is 4.18.26030.3011, and outside vulnerability tracking says earlier platform versions are affected.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages