Microsoft Defender Privilege Escalation Flaw Confirmed in Ransomware Campaigns Two Months After Patch
CVE-2026-33825, a local privilege-escalation vulnerability in the Windows Defender antimalware engine patched on April 14, 2026, was confirmed by CISA on June 30 as actively used in ransomware campaigns, with no specific group officially named. The flaw affects both enterprise and consumer Defender deployments equally because both rely on the same MsMpEng.exe process, though enterprise tenants receive the platform update more consistently. A follow-on technique called RoguePlanet, publicly disclosed by Picus Security in June 2026, bypasses the April fix on fully patched Windows 10 and 11 systems, meaning the workaround menu of Tamper Protection enforcement, application control, and EDR detection remains necessary even after patching.