CVE-2026-33825 - Elevate Privileges Using Access Control Flaws in Microsoft Defender

A newly identified security vulnerability — CVE-2026-33825 — has recently shaken the cybersecurity community. This issue reveals that Microsoft Defender, the default security tool in Windows, has an oversight in its access control settings, allowing any authorized user on a machine to locally escalate their privileges. In simple terms: a non-administrator user can trick Defender into granting them much more power than they should have.

In this long read, I’ll break down what this vulnerability is, how it works, and walk you through a proof-of-concept demonstrating the flaw. I’ll also share resources and suggestions for defense.

Impact: Any local user can become SYSTEM (the highest privilege)

- Root Cause: The access control implemented in Defender doesn’t restrict access to some sensitive operations/files/services with enough granularity.

Normally, not all users should be allowed to change Defender’s configuration or interact with its services in a privileged way. However, the permissions for certain resources in Defender are too loose — letting regular users do dangerous things.

Vulnerability Details

Defender runs several key components as NT AUTHORITY\SYSTEM. However, certain configuration files, registry keys, or service control permissions have an Access Control List (ACL) that mistakenly includes regular user groups with write access or equivalent, rather than only administrators.

This simple configuration mistake means an attacker doesn’t need to break in through the network — if they can log into the system as a normal user, they can exploit this and become an admin.

Let’s imagine Defender stores a configuration file at

C:\ProgramData\Microsoft\Windows Defender\Config.xml

Users: Modify

A regular user can now edit this configuration file!

If Defender loads settings from this file as SYSTEM and, for instance, allows for the configuration of script paths, scan exclusions, or scheduled tasks, a malicious user could inject their own commands, which will then be executed by Defender as SYSTEM.

Proof-of-Concept Snippet

*Disclaimer: For educational purposes only.*

Suppose an attacker wants to add a scheduled scan but points it to a malicious script. Here’s some PowerShell that could leverage weak permissions:

# Malicious PowerShell script as a non-admin user
$configPath = "C:\ProgramData\Microsoft\Windows Defender\Config.xml"

# Inject a malicious scan path (assuming Defender executes it)
$maliciousEntry = '
<ScanPaths>
  <Path>C:\Temp\EvilScript.bat</Path>
</ScanPaths>
'

# Overwrite or append settings
Add-Content -Path $configPath -Value $maliciousEntry

# Place the malicious script
Set-Content -Path "C:\Temp\EvilScript.bat" -Value "net user attacker Passwrd! /add & net localgroup administrators attacker /add"

On next scheduled scan, if Defender’s process runs those scripts, the attacker’s code runs as SYSTEM.

Real-World Exploitability

The actual exploitation depends on which Defender resource is misconfigured: files, registry, service ACLs, or others. In some reported cases (see original advisory), attackers could:

Official References and Resources

- Microsoft Security Response Center: CVE-2026-33825 Advisory
- NVD entry: CVE-2026-33825
- Understanding Windows Service Security (Microsoft Docs)

How to Defend

1. Patch: Install the latest Windows updates. Microsoft has fixed permissions in recent Defender updates.
2. Audit Permissions: Check sensitive Defender files and registry keys for permissions — only Administrators and SYSTEM should have full control.

Restrict Local Accounts: Limit the number of users who can log into sensitive machines.

4. Monitor Logs: Unusual changes to Defender configuration files, registry, or service behavior should raise alarms.

Conclusion

CVE-2026-33825 is a textbook example of how “insufficient granularity” in access control turns a simple configuration mistake into a high-impact vulnerability. While the concept is simple, the consequences are huge: local users becoming admins without any malware — just the misused permissions Defender accidentally gave them.

If you’re responsible for Windows systems, make sure to update and take a few minutes to review all ACLs, especially on built-in security tools.

Have you checked your Defender configuration yet?

*This post is exclusive and written to explain CVE-2026-33825 in the simplest terms for all readers. For more information, visit the official Microsoft and NVD advisories linked above.*

Timeline

Published on: 04/14/2026 16:57:49 UTC
Last modified on: 04/30/2026 14:42:48 UTC