Reported internally by @drvcodenta.
Interpretation (optional)
How do you interpret the words?
@drvcodenta flagged that Fleet is silently missing CVEs in Microsoft Defender on Windows hosts, citing CVE-2026-33825 ("BlueHammer") as a concrete example — a Microsoft Defender Antimalware Platform privilege-escalation flaw that's actively exploited. Customers reasonably expect Fleet to catch this.
What's Fleet missing?
Fleet's Windows vulnerability detection runs along two tracks today:
- MSRC bulletins for Windows OS CVEs, and
- NVD/CPE matching for third-party software inventoried on the host.
Defender Antimalware Platform falls between them — Microsoft publishes its CVEs as a separate non-OS product line that Fleet's MSRC pipeline doesn't ingest, and because the platform auto-updates silently via Windows Update it doesn't appear in the host's normal software inventory either, so NVD matching has nothing to match against. T
he same blind spot applies to other Microsoft software that ships with or alongside Windows and updates outside the standard installer path. From a customer's point of view, Fleet says "no known vulnerabilities" on a host that is, in fact, vulnerable to an actively exploited Microsoft CVE with a federal patch deadline.
Ideal workflow:
A Windows host running a vulnerable Defender Antimalware Platform build appears in Fleet's vulnerability list the same way a host with an unpatched OS or unpatched third-party app does — CVE ID, severity, affected version, and the version the user needs to reach to remediate. The same treatment extends to other Microsoft-published software that lives in this in-between space, so customers can trust a single Fleet view for Microsoft platform CVEs instead of tracking coverage product-by-product.
Reported internally by @drvcodenta.
Interpretation (optional)
How do you interpret the words?
@drvcodenta flagged that Fleet is silently missing CVEs in Microsoft Defender on Windows hosts, citing CVE-2026-33825 ("BlueHammer") as a concrete example — a Microsoft Defender Antimalware Platform privilege-escalation flaw that's actively exploited. Customers reasonably expect Fleet to catch this.
What's Fleet missing?
Fleet's Windows vulnerability detection runs along two tracks today:
Defender Antimalware Platform falls between them — Microsoft publishes its CVEs as a separate non-OS product line that Fleet's MSRC pipeline doesn't ingest, and because the platform auto-updates silently via Windows Update it doesn't appear in the host's normal software inventory either, so NVD matching has nothing to match against. T
he same blind spot applies to other Microsoft software that ships with or alongside Windows and updates outside the standard installer path. From a customer's point of view, Fleet says "no known vulnerabilities" on a host that is, in fact, vulnerable to an actively exploited Microsoft CVE with a federal patch deadline.
Ideal workflow:
A Windows host running a vulnerable Defender Antimalware Platform build appears in Fleet's vulnerability list the same way a host with an unpatched OS or unpatched third-party app does — CVE ID, severity, affected version, and the version the user needs to reach to remediate. The same treatment extends to other Microsoft-published software that lives in this in-between space, so customers can trust a single Fleet view for Microsoft platform CVEs instead of tracking coverage product-by-product.