CVE-2026-33825

Microsoft Defender versions prior to 4.18.26030.3011 Windows 10 (affected versions not specified) Windows 11 (affected versions not specified) Windows Server 2019 and later (affected versions not specified)

Description Insufficient granularity of access control in Microsoft Defender allows an authorized local attacker to elevate privileges to SYSTEM level. The issue involves a time-of-check to time-of-use (TOCTOU) flaw in the signature update and remediation workflow. Attackers can leverage a logic chain involving the Windows Cloud Files API, Volume Shadow Copy (VSS), and Opportunistic Locks (Oplocks) to pause system processes and overwrite SYSTEM binaries or access locked registry hives such as SAM, SYSTEM, and SECURITY to extract administrative hashes. Real-world exploitation has been observed since April 10, 2026, with some attacks linked to compromised FortiGate SSL VPN connections. Technical details indicate the use of NTFS junctions and the Cloud Files API to trick the MsMpEng.exe process into spawning payloads with NT AUTHORITYSYSTEM tokens or overwriting files like 'C:Windowssystem32TieringEngineService.exe'.

Recommendations Update the Microsoft Defender antimalware platform to version 4.18.26030.3011 or higher. Restrict the Volume Shadow Copy Service to specific administrative users via Group Policy. Monitor for any process calling vssvc.exe that is not a recognized backup tool. Audit logs for unusual CldFlt (Cloud Files Mini Filter) activity originating from non-system directories.