A Quieter Week at CISA: Microsoft Defender Access Control Flaw, Supply-Chain Hardening, and Why "Boring" Is a Compliment in Security

After the twelve-CVE pile-on of April 20 and April 24, this past week was almost peaceful at CISA. One addition to the KEV catalog — a Microsoft Defender access-control flaw — and a relatively quiet news cycle otherwise. In security, "boring" is a compliment. It means the defenders kept up.

So instead of a long CVE breakdown, this week's recap is shorter and uses the spare bandwidth to talk about something that does not get enough attention in small-business IT: supply chain hardening. Specifically, the part of your business that you do not directly run.

1. CVE-2026-33825 — Microsoft Defender Insufficient Granularity of Access Control

CISA KEV added: April 22, 2026 · Severity: Medium

Microsoft Defender — the enterprise EDR product, not the consumer antivirus — has an access-control bug that lets a low-privilege user access functionality that should require elevated permissions. The exact technical detail in the advisory is limited; CISA does not publish exploitation specifics, and Microsoft\’s own update guide is parsimonious.

For Texas small businesses, the practical impact is bounded. Defender enterprise is a Microsoft 365 E5 / Defender for Business product; the typical 10-person small business is not running it natively. If you are using Defender for Business or any other tier of Microsoft 365 Defender, the patch ships through Microsoft Update; you should already have it.

What is interesting about this entry is the meta-point: even EDR products themselves get vulnerabilities. The thing you bought to protect your endpoints is itself an attack surface. This is part of why I am not a zealot for any single security vendor — Defender, SentinelOne, CrowdStrike, Huntress, they all ship CVEs eventually. The discipline is to keep them patched, not to pick the magical brand.

2. The Supply-Chain Story Nobody Reads About

The Verizon DBIR has been hammering this for two years and small businesses still ignore it: in 2025, third-party-related breach incidents — vendor compromises, software updates that turned malicious, MSP breaches that cascaded to the MSP's clients — were the fastest-growing category of small-business breach. Your security is only as strong as the third parties you trust.

For a typical Texas SMB, the third-party list is usually:

• Your MSP or IT provider. If they get compromised, you get compromised. SimpleHelp is the canonical recent example.
• Your accountant or bookkeeper. They have access to your books and usually your banking. A compromised bookkeeper means compromised wires.
• Your payroll provider. Direct deposit redirects are a real attack pattern.
• Your law firm. Discovery materials, contracts, M&A intel — all sitting on someone else\’s file share.
• Your e-commerce or website host. If you sell anything online, your card data flows through their infrastructure.
• Your cloud SaaS stack — CRM, ERP, marketing tools — anything with API access to your data.

I work with my BVTech clients on what I call a vendor security posture review. It is not glamorous and it is not technically complicated. Once a year, we list every third party with access to your data, ask each of them for a brief written security statement, and document the answers. If your bookkeeper cannot tell you what MFA she uses on QuickBooks, you have learned something useful.

3. The MFA Audit Every Texas Business Should Do This Quarter

Speaking of MFA — Sophos\’s State of Ransomware 2025 put credential-based initial-access at the top of every breach pattern they reported on. Eighty-eight percent of SMB breaches involved ransomware; the overwhelming majority of those started with a stolen or phished credential where MFA was not enforced.

The quarterly audit I run for clients is simple. Every account on the inventory gets graded on five things:

• Is MFA enforced? Not "available" — enforced.
• Is the MFA method strong? App-based or hardware-key beats SMS by a wide margin.
• Is the account using a unique password? Verifiable through a password manager.
• Has the password been rotated since the last suspected exposure? Have I Been Pwned is your friend.
• Does the account have only the permissions it needs? The bookkeeper does not need domain-admin.

Most businesses find that 20 to 30 percent of their accounts fail this audit on first pass. That is fixable in a couple of hours. The benefit of fixing it is that the next time CISA KEV lands a credential-related entry, you are already covered.

Use Quiet Weeks to Get Ahead

The single most consistent pattern I see in my Texas client base is this: the businesses that get burned by a ransomware incident are not the ones who ignored a critical CISA KEV deadline. They are the ones who never ran an MFA audit, never inventoried their vendors, never wrote down their patching schedule. The big events expose the cumulative neglect of the quiet weeks.

Use this week to get ahead of the next noisy one.

Want a Vendor and MFA Audit?

BVTech does both — vendor security posture review and MFA audit — as a fixed-fee project for Texas small businesses. Call (210) 538-3669 or email [email protected]. Pricing is transparent on the engagement; nothing surprises you on the invoice.

— Jordan Polasek is the Founder and Managing Partner of BVTech LLC, a Texas-based managed IT services provider. He holds AWS and 1Password certifications, the Certified Polysomnographic Technologist credential (CPSGT #294), and won the SuperOps Solo MSP of the Year Award in 2023. Connect with Jordan on LinkedIn or at jordanpolasek.com.