Changeflow GovPing Data Privacy & Cybersecurity CISA Adds Microsoft Defender CVE-2026-33825 to ...
Priority review Notice Added Final

CISA Adds Microsoft Defender CVE-2026-33825 to Known Exploited Vulnerabilities Catalog

Favicon for www.cisa.gov CISA ICS-CERT Advisories
Published
Detected
Email

Summary

CISA added CVE-2026-33825 (Microsoft Defender Insufficient Granularity of Access Control Vulnerability) to its Known Exploited Vulnerabilities (KEV) Catalog on April 22, 2026, based on evidence of active exploitation. Binding Operational Directive BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date specified in the directive. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.

Published by CISA on cisa.gov . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors CISA ICS-CERT Advisories for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 65 changes logged to date.

View original document View source feed page

What changed

CISA has added one new vulnerability — CVE-2026-33825 affecting Microsoft Defender — to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. The vulnerability is classified as an Insufficient Granularity of Access Control issue, which CISA notes is a frequent attack vector for malicious cyber actors.\n\nFederal Civilian Executive Branch agencies are subject to Binding Operational Directive BOD 22-01, which mandates remediation of KEV Catalog vulnerabilities by specified due dates. While this directive does not apply to private-sector organizations, CISA strongly urges all organizations to prioritize timely remediation of this and other KEV vulnerabilities as part of their vulnerability management programs. Organizations running Microsoft Defender should review their access control configurations and apply available patches accordingly.

Archived snapshot

Apr 23, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Alert

CISA Adds One Known Exploited Vulnerability to Catalog

Release Date

April 22, 2026

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  • CVE-2026-33825 Microsoft Defender Insufficient Granularity of Access Control Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.

Mentioned entities

Cybersecurity and Infrastructure Security Agency

Parties

Microsoft

Related changes

Favicon for www.cisa.gov CISA Adds Eight Known Exploited Vulnerabilities to Catalog
Routine Apr 20, 2026 US CISA Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CVE-2026-20133: Cisco Catalyst SD-WAN Manager Sensitive Data Exposure Vulnerability
Priority review Apr 21, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov Silex Technology SD-330AC and AMC Manager 12 Critical Vulnerabilities
Urgent Apr 22, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity

Get daily alerts for CISA ICS-CERT Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cisa.gov
CISA ICS-CERT Advisories cisa.gov/rss.xml
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CISA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CISA
Published
April 22nd, 2026
Instrument
Notice
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Government agencies Technology companies
Industry sector
5112 Software & Technology
Activity scope
Vulnerability catalog updates Security patching Access control review
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Software & Technology

Browse Categories

Agriculture & Food Safety 77 AI Regulation 3 Banking & Finance 482 Consumer Protection 120 Courts & Legal 436 Data Privacy & Cybersecurity 123 Defense & National Security 53 Education 64 Energy 103 Environment 169 Gaming 2 Government & Legislation 461 Healthcare 15 Healthcare & Life Sciences 396 Immigration 10 Insurance 86 Labor & Employment 167 Pharma & Drug Safety 21 Professional Licensing 8 Real Estate & Housing 85 Securities & Markets 177 Tax 93 Telecom & Technology 48 Trade & Sanctions 152 Transportation 102

Get alerts for this source

We'll email you when CISA ICS-CERT Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!