CVE-2026-33825

HIGH KEV

Microsoft Defender Elevation of Privilege Vulnerability

Title source: cna

Exploitation Summary

CVE-2026-33825 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 22, 2026. EIP tracks 5 public exploits from researchers including adminlove520, 0xBlackash, Joe1sn.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-33825, targeting a Windows kernel vulnerability related to Volume Shadow Copy Service (VSS) manipulation. The code interacts with the Windows object manager and NTDLL functions to enumerate and manipulate shadow copy volumes, indicating a local privilege escalation (LPE) vector.

Description

Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Exploits (5)

github WORKING POC 4 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-33825

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-33825, targeting a Windows kernel vulnerability related to Volume Shadow Copy Service (VSS) manipulation. The code interacts with the Windows object manager and NTDLL functions to enumerate and manipulate shadow copy volumes, indicating a local privilege escalation (LPE) vector.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (specific version not specified)

Auth required

Prerequisites: Local access to the target system · Administrative privileges to interact with VSS

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 21, 2026 Full analysis →

github WRITEUP

by 0xBlackash · poc

https://github.com/0xBlackash/CVE-2026-33825

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-33825, a TOCTOU race condition vulnerability in Microsoft Defender that allows local privilege escalation to SYSTEM via NTFS reparse points and opportunistic locks.

Classification

Writeup 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Microsoft Defender on Windows 10/11/Server

Auth required

Prerequisites: Low-privileged user access · Microsoft Defender running with elevated privileges

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 18, 2026 Full analysis →

github WORKING POC

by Joe1sn · c++local

https://github.com/Joe1sn/CVE-2026-33825

View Code ZIP pw:eip

The repository contains a functional exploit PoC for CVE-2026-33825, targeting Windows systems via directory object manipulation and Volume Shadow Copy Service (VSS) interactions. The code dynamically resolves NTDLL functions and attempts to enumerate and manipulate shadow volume names.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (likely Windows 10/11 or Server variants)

Auth required

Prerequisites: Local access to the target system · Administrative or SYSTEM privileges for VSS manipulation

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 02, 2026 Full analysis →

nomisec SUSPICIOUS

by Bilal3755 · poc

https://github.com/Bilal3755/Detecting_blue_hammer_vuln

View Code ZIP pw:eip

The repository contains only a vague README with no technical details or exploit code, mentioning a 'threat hunting query' for CVE-2026-33825 without providing any actionable information.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Windows (unspecified version)

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 20, 2026 Full analysis →

nomisec WRITEUP

by Letlaka · poc

https://github.com/Letlaka/redsun-bluehammer-undefend-detection-pack

View Code ZIP pw:eip

This repository provides a detailed technical analysis and detection logic for a multi-stage attack chain involving Windows Update API abuse, Defender update package retrieval, and other suspicious activities. It includes KQL queries for Microsoft Defender XDR Advanced Hunting but does not contain functional exploit code.

Classification

Writeup 90%

Attack Type

Other

Complexity

Complex

Reliability

Theoretical

Target: Microsoft Defender XDR

Auth required

Prerequisites: Access to Microsoft Defender XDR Advanced Hunting · Knowledge of KQL queries

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 18, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33825

Various Sources

https://www.huntress.com/blog/nightmare-eclipse-intrusion

Vendor Advisory vendor-advisory patch

Microsoft Defender Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825

Scores

CVSS v3 7.8

EPSS 0.0905

EPSS Percentile 92.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2026-04-22

VulnCheck KEV 2026-04-16

ENISA EUVD EUVD-2026-22643

CWE

CWE-1220

Status published

Products (2)

microsoft/defender_antimalware_platform < 4.18.26030.3011

Microsoft/Microsoft Defender Antimalware Platform 4.0.0.0 - 4.18.26030.3011

Published Apr 14, 2026

KEV Added Apr 22, 2026

Tracked Since Apr 14, 2026