CyberSecurity News

Microsoft Defender 0-Day Flaws Actively Exploited Wild

Microsoft Defender faces active exploitation in the wild from two newly disclosed vulnerabilities. These flaws enable local attackers to elevate privileges to SYSTEM, potentially disrupting endpoint...

Marcus Rodriguez
Marcus Rodriguez
May 21, 2026 3 Min Read
17 0

Microsoft Defender faces active exploitation in the wild from two newly disclosed vulnerabilities. These flaws enable local attackers to elevate privileges to SYSTEM, potentially disrupting endpoint protection across Windows environments.

Table Of Content

The bugs, tracked as CVE‑2026‑41091 (Elevation of Privilege) and CVE‑2026‑45498 (Denial of Service), were published on May 19, 2026, and affect core Microsoft Defender components used across all supported Windows versions.

CVE‑2026‑41091 is an “Important” elevation‑of‑privilege vulnerability caused by improper link resolution before file access (“link following”) in Microsoft Defender’s scanning logic.

An authenticated local attacker can exploit this weakness to have Defender follow crafted links or junctions and operate on attacker‑controlled paths, ultimately gaining SYSTEM‑level privileges.

Microsoft confirms that this vulnerability has been publicly disclosed and is already under active exploitation, with its exploitability index showing “Exploitation Detected.”

Successful exploitation allows threat actors to disable or tamper with security tools, deploy persistent payloads, access sensitive data, and create new high‑privilege accounts, dramatically increasing the impact of any initial compromise.

The last Microsoft Malware Protection Engine version affected is 1.1.26030.3008, with the issue addressed starting in version 1.1.26040.8.

Notably, environments where Defender is disabled may still be flagged as vulnerable by scanners because the binaries and versioned components remain on disk, even though the configuration is not considered exploitable in practice.

Microsoft Defender Denial of Service Vulnerability

The second flaw, CVE‑2026‑45498, is a Denial-of-Service vulnerability in the Microsoft Defender Antimalware Platform.

It has also been publicly disclosed and is confirmed as exploited in the wild, with “Exploitation Detected” status in Microsoft’s exploitability assessment.

By abusing this platform‑level weakness, attackers can potentially crash or impair Defender’s protection capabilities, creating a window for follow‑on attacks and stealthy persistence.

The last affected platform version is 4.18.26030.3011, with fixes shipped in version 4.18.26040.7. As with the engine bug, systems where Defender is disabled can still appear vulnerable in scan outputs due to version checks on installed binaries, even though they are not in an exploitable state.

The U.S. Cybersecurity and Infrastructure Security Agency has added both CVE‑2026‑41091 and CVE‑2026‑45498 to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring confirmed in‑the‑wild abuse.

Under Binding Operational Directive (BOD) 22‑01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities on Windows endpoints and servers by June 3, 2026, giving defenders a two‑week window from the KEV listing on May 20.

Required Actions for Defenders

Microsoft emphasizes that no separate manual security update installation is required beyond the standard Defender engine and platform update mechanisms, which are designed to update automatically and frequently.

However, organizations are urged to verify that updates are actually being delivered and applied as expected.

Administrators should:

  • Confirm that the Defender engine version is at least 1.1.26040.8 and the Antimalware Platform version is at least 4.18.26040.7 on all endpoints.
  • Use the Windows Security app to check “Virus & threat protection,” then “Protection updates,” and select “Check for updates” to force an update where necessary.
  • In Windows Security → Settings → About, verify that the Antimalware Client version meets or exceeds the fixed versions.

Microsoft notes that the Defender engine is typically updated monthly, with malware definitions updated several times per day, and recommends that enterprises continuously validate their update distribution pipelines.

The update also includes additional defense‑in‑depth improvements beyond the specific vulnerability fixes.

Given that Microsoft Defender is deployed by default on all supported Windows versions and reused across products such as Microsoft System Center Endpoint Protection and Microsoft Security Essentials, these actively exploited 0‑day flaws represent a high‑value target surface for threat actors.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVECybersecurityExploitMalwareSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts