Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

Overview Microsoft has confirmed that two Microsoft Defender vulnerabilities are being actively exploited in the wild, prompting urgent patch releases for all Windows endpoints. The flaws — CVE‑2026‑41091 and CVE‑2026‑45498 — affect the Defender Malware Protection Engine and Antimalware Platform, respectively, and have been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.

CVE‑2026‑41091 — Privilege Escalation

• Severity: CVSS 7.8 (High)
• Component: Microsoft Defender Malware Protection Engine 1.1.26030.3008 and earlier
• Root Cause: Improper link resolution before file access (“link following”)
• Impact: Allows an authorized attacker to gain SYSTEM privileges locally.

Microsoft’s advisory explains that the flaw arises when Defender improperly follows symbolic links, enabling privilege escalation through crafted file paths.

CVE‑2026‑45498 — Denial‑of‑Service (DoS)

• Severity: CVSS 4.0 (Medium)
• Component: Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier
• Impact: Enables attackers to trigger DoS states on unpatched systems, temporarily disabling protection.

Both vulnerabilities have been patched in Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7.

Automatic Updates and Verification

Microsoft emphasized that no manual action is required for most users since Defender automatically updates malware definitions and platform versions.

To verify patch installation:

1. Open Windows Security → Virus & Threat Protection.
2. Click Protection Updates → Check for updates.
3. Navigate to Settings → About.
4. Confirm that the Antimalware ClientVersion matches or exceeds the patched versions.

Discovery and Credit

Microsoft credited five researchers for discovering and responsibly reporting the flaws:

• Sibusiso
• Diffract
• Andrew C. Dorman (ACD421)
• Damir Moldovanov
• Anonymous researcher

Their coordinated disclosure enabled Microsoft to issue rapid fixes before widespread exploitation.

CISA Directive and Federal Response

The U.S. CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply the patches by June 3, 2026, under Binding Operational Directive (BOD) 22‑01.

CISA warned that privilege‑escalation and DoS vulnerabilities in endpoint protection software are frequent attack vectors and pose significant risks to federal networks. Agencies must either:

• Apply vendor mitigations per Microsoft’s guidance,
• Follow BOD 22‑01 cloud‑service security requirements, or
• Discontinue use if mitigations are unavailable.

Related Exploits

Microsoft also disclosed that a cross‑site scripting (XSS) flaw in Exchange Server (CVE‑2026‑42897, CVSS 8.1) has been weaponized in real‑world attacks. Additionally, CISA added several legacy Microsoft vulnerabilities — dating back to 2008–2010 — to its KEV catalog, including:

• CVE‑2010‑0806 and CVE‑2010‑0249 — Internet Explorer use‑after‑free flaws enabling remote code execution.
• CVE‑2009‑1537 — DirectX NULL‑byte overwrite vulnerability in DirectShow.
• CVE‑2008‑4250 — Windows Server Service buffer overflow enabling remote code execution via crafted RPC requests.
• CVE‑2009‑3459 — Adobe Acrobat and Reader heap‑based buffer overflow via crafted PDF files.

These additions highlight the ongoing risk of legacy vulnerabilities resurfacing in modern attack chains.

Final Thoughts

The active exploitation of Defender zero‑days underscores how even security software can become an attack surface. Enterprises should ensure Defender updates are enabled, automatic patching is verified, and endpoint telemetry is monitored for privilege‑escalation or DoS anomalies.