# CVE-2026-33825

> A TOCTOU race condition in the Microsoft Defender Antimalware Platform update orchestrator allows a local low-privileged user to write an arbitrary file as SYSTEM via a symbolic-link hijack of the platform update staging directory. Proof-of-concept code was published to GitHub prior to Microsoft's advisory. No in-the-wild exploitation confirmed at release time, but the bug is trivial to weaponize and expected to appear in commodity post-exploitation toolkits within days.

- **CVSS:** 7.8 (HIGH)
- **EPSS:** 7.1%
- **CISA KEV:** yes
- **CWE:** CWE-367, CWE-59

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-33825
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp