CISA Warns: Microsoft Defender 0-Day Vulnerabilities Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to organizations regarding two critical Microsoft Defender vulnerabilities. These flaws, now added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, are actively being exploited.

The flaws, tracked as CVE-2026-45498 and CVE-2026-41091, impact Microsoft Defender and could allow attackers to disrupt systems or escalate privileges.

Both vulnerabilities were officially added to the KEV list on May 20, 2026, with a remediation deadline of June 3, 2026, under Binding Operational Directive (BOD) 22-01.

Federal agencies and organizations using Microsoft Defender are urged to apply mitigations immediately.

Microsoft Defender Zero-Day Exploits

The first vulnerability, CVE-2026-45498, is a denial-of-service (DoS) flaw in Microsoft Defender.

While the technical specifics remain limited, successful exploitation could allow attackers to disrupt Defender operations, potentially weakening endpoint protection and exposing systems to compromise further.

The second flaw, CVE-2026-41091, is a link-following vulnerability (CWE-59). This issue allows an authorized local attacker to exploit improper handling of symbolic links, leading to privilege escalation.

By leveraging this flaw, attackers could gain elevated access on targeted systems, increasing the risk of lateral movement and deeper network compromise.

Although CISA has not confirmed whether these vulnerabilities are currently used in ransomware campaigns, their inclusion in the KEV catalog indicates evidence of active exploitation in real-world attacks.

Security researchers warn that advanced threat actors and ransomware operators commonly employ privilege escalation and defense-evasion techniques.

The combination of a DoS vulnerability and a privilege escalation flaw in a widely deployed security product like Microsoft Defender raises concerns about defense bypass scenarios.

Attackers may exploit these weaknesses to turn off protections before deploying malware or conducting post-exploitation activities.

CISA strongly advises organizations to take the following actions:

• Apply security updates and mitigations provided by Microsoft immediately.
• Follow BOD 22-01 guidelines for cloud and on-premises environments.
• Monitor systems for unusual behavior, including Defender service disruptions.
• Restrict local access privileges to minimize the risk of exploitation.
• Consider discontinuing use of affected systems if patches are unavailable.

Organizations should also review endpoint detection logs and investigate anomalies that may indicate attempted exploitation.

The discovery of actively exploited vulnerabilities in security software highlights an ongoing challenge in cybersecurity: attackers increasingly target defensive tools themselves.

Exploiting such tools can provide a stealthy pathway to bypass detection and maintain persistence.

Security teams are encouraged to adopt a layered defense strategy that combines endpoint protection with behavioral monitoring, threat intelligence, and rapid patch management.

As threat actors continue to evolve their tactics, timely vulnerability remediation remains critical to reducing attack surfaces and preventing breaches.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.