Two significant vulnerabilities in Microsoft Defender have recently been disclosed and are being actively exploited by cyber attackers, raising concerns among cybersecurity professionals. These vulnerabilities, identified as CVE-2026-41091 and CVE-2026-45498, allow attackers to escalate privileges to SYSTEM and potentially disrupt endpoint protection on Windows systems.
Details of the Vulnerabilities
The first vulnerability, CVE-2026-41091, is an elevation of privilege issue caused by improper link resolution in Microsoft Defender’s scanning logic. This flaw enables authenticated local attackers to manipulate Defender into accessing attacker-controlled paths, granting them SYSTEM-level privileges. This vulnerability has been publicly documented, with active exploitation confirmed by Microsoft’s exploitability index.
The second flaw, CVE-2026-45498, affects the Microsoft Defender Antimalware Platform, resulting in a denial-of-service condition. Attackers exploiting this vulnerability can crash or impair Defender’s functionality, opening a window for further attacks. This vulnerability, like the first, is also being actively exploited.
Impact and Mitigation
Successful exploitation of these vulnerabilities can have severe consequences, such as disabling security tools, deploying persistent malware, accessing sensitive data, and creating high-privilege user accounts. The vulnerabilities impact the Microsoft Malware Protection Engine version 1.1.26030.3008 and Defender Platform version 4.18.26030.3011, with fixes available in versions 1.1.26040.8 and 4.18.26040.7, respectively.
Although systems where Defender is disabled may still appear vulnerable, they are not exploitable in practice. Organizations are urged to ensure that their Defender engine and platform are updated to the latest versions to mitigate these risks.
Guidance for Organizations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included both vulnerabilities in its Known Exploited Vulnerabilities Catalog, requiring Federal Civilian Executive Branch agencies to address them by June 3, 2026. Microsoft advises that no additional manual updates are necessary beyond the routine Defender updates. Organizations should verify that updates are being applied correctly and ensure that the Defender engine version is at least 1.1.26040.8 and the platform version is at least 4.18.26040.7.
Administrators are encouraged to use the Windows Security app to check for updates under ‘Virus & threat protection’ and ‘Protection updates’, ensuring all endpoints are secure. Additionally, continuous validation of update distribution processes is recommended to maintain system security.
Given the widespread deployment of Microsoft Defender across Windows environments, these vulnerabilities represent a significant target for cyber threats. Staying informed and ensuring timely updates are crucial steps in safeguarding systems against these active exploits.
