CISA’s Known Exploited Vulnerabilities catalog now lists CVE-2026-33825 as having known ransomware campaign use.
What happened
CISA identifies the flaw as a Microsoft Defender Insufficient Granularity of Access Control Vulnerability and says Microsoft Defender contains an access control weakness that could allow an unauthorized attacker to escalate privileges locally.
Microsoft’s CVE record, reflected in NIST’s National Vulnerability Database, describes the issue as “Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.” NVD lists Microsoft Corporation as the source and gives the vulnerability a CVSS 3.1 score of 7.8 HIGH.
CISA added the vulnerability to its KEV catalog on April 22, 2026, with a federal remediation due date of May 6, 2026. The agency’s required action tells organizations to apply vendor mitigations, follow applicable federal guidance for cloud services, or discontinue use of the product if those mitigations are unavailable.
In the know
Privilege escalation flaws do not usually provide the first way into a network. Instead, attackers use them after gaining access to gain more control over the system. It makes CVE-2026-33825 dangerous in ransomware scenarios. CISA now marks its ransomware campaign use as “Known,” which means defenders should treat this vulnerability as part of ransomware tradecraft.
The bottom line
For healthcare organizations, the lesson is that security gaps become more dangerous when they are known but left unresolved. Paubox’s 2026 Healthcare Email Security Report noted that in 2025, it found that 41% of organizations were assessed as high risk, up from 31% in 2024. CVE-2026-33825 has moved from an exploited vulnerability to a ransomware-relevant vulnerability in CISA’s official catalog. Organizations should treat the Microsoft Defender flaw as a priority for patching, validation, and endpoint-hardening issues, especially across systems that could support ransomware staging, privilege escalation, or defense evasion.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQs
What is the CISA KEV catalog?
The CISA Known Exploited Vulnerabilities catalog, also called the KEV catalog, is CISA’s official list of vulnerabilities that have been exploited in the wild. CISA describes it as an authoritative source organizations can use to prioritize vulnerability remediation.
Why does CISA add vulnerabilities to the KEV catalog?
CISA adds vulnerabilities to the KEV catalog when there is evidence of active exploitation. The agency uses the catalog to help organizations focus on vulnerabilities that attackers are already using, rather than relying only on theoretical severity scores.
Does a KEV listing mean a vulnerability is severe?
A KEV listing means the vulnerability has been exploited in the wild and carries operational risk, even if its CVSS score is not the highest.
