Impact statement: CVE-2026-33825 is a Microsoft Defender privilege-escalation vulnerability that CISA added to the Known Exploited Vulnerabilities catalog on April 22, 2026. NVD lists it as high severity. This is a local privilege-escalation issue, not a standalone internet remote-code-execution bug, but active exploitation means Windows fleets should verify Defender platform updates instead of assuming normal patching handled it.
For hosting companies and IT shops, the affected machines are not only employee laptops. Include Windows Server systems where admins log in interactively, IIS hosting servers, RDS and terminal servers, Hyper-V hosts, backup servers, domain controllers, Windows-based control-panel machines, and support workstations that handle customer files.
Who Needs To Act
- Windows 10 and Windows 11 endpoints running Microsoft Defender Antimalware Platform before the fixed platform version.
- Windows Server machines that run Defender, especially admin-accessible or customer-facing systems.
- RDS, VDI, and terminal-server environments where many users share the same Windows estate.
- Admin and support workstations used to open customer archives, installers, tickets, backups, or uploaded files.
- Hyper-V hosts, IIS servers, domain controllers, and backup servers where local privilege escalation can worsen an existing foothold.
Check Defender Platform Version
NVD lists Microsoft Defender Antimalware Platform builds before 4.18.26030.3011 as vulnerable. Microsoft Security Update Guide is the authority for your exact product channel, so verify the installed platform against MSRC and your patch-management console.
Get-MpComputerStatus | Select-Object AMProductVersion, AMEngineVersion, AntivirusSignatureVersion, NISEngineVersion, RealTimeProtectionEnabled
Get-ChildItem "$env:ProgramDataMicrosoftWindows DefenderPlatform" |
Sort-Object Name -Descending |
Select-Object -First 3 Name, FullName
Patch Workstations And Servers
Use Windows Update, Microsoft Defender updates, WSUS, Intune, RMM, Microsoft Defender for Endpoint, or your normal patch tool. For a single machine, trigger a Defender update and then recheck the platform version.
& "$env:ProgramFilesWindows DefenderMpCmdRun.exe" -SignatureUpdate
Get-MpComputerStatus | Select-Object AMProductVersion, AMEngineVersion, AntivirusSignatureVersion, NISEngineVersion
For offline or isolated systems, use Microsoft Update Catalog or your approved offline servicing workflow. Do not leave jump boxes, domain controllers, backup servers, or hosting support workstations out of scope because they are not regular user laptops.
Server Role Notes
- IIS hosting servers: patch Defender and review upload, deployment, and temporary directories for unexpected executable files.
- RDS and terminal servers: patch early because many users can create local activity on the same machine.
- Hyper-V hosts: schedule patching with VM backup verification and reboot planning.
- Domain controllers: patch through the normal DC maintenance ring, verify replication and authentication after reboot.
- Backup servers: patch and verify backup jobs still run, because backup operators often open customer or endpoint files.
- Admin workstations: patch first if they handle customer uploads, remote support tools, archives, or privileged sessions.
Verify After Reboot Or Update
Get-ComputerInfo | Select-Object OsName, OsVersion, WindowsVersion, OsBuildNumber
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10 HotFixID, InstalledOn, Description
Get-MpComputerStatus | Select-Object AMProductVersion, AMEngineVersion, AntivirusSignatureVersion, RealTimeProtectionEnabled
In managed fleets, compare your RMM, Intune, Defender for Endpoint, and WSUS views against real machine spot checks. Machines that are off VPN, paused, retired-but-online, or stuck behind a broken update policy are where this kind of issue lingers.
Defender Review Checklist
- Confirm Defender platform version on Windows endpoints and Windows Server systems.
- Prioritize machines used by admins, help desk, hosting support, finance, and executives.
- Check Microsoft Defender for Endpoint alerts, local Defender history, and recent suspicious process events.
- Do not use this CVE as a reason to disable Defender. Patch the platform and keep real-time protection enabled.
- Document machines that cannot update and isolate or replace them.