HIGH: Microsoft Defender Burns Again as Two New Zero-Days Hit Active Exploitation

Pour one out for the security tool that is supposed to be doing the protecting. Microsoft confirmed on May 21 that two vulnerabilities in its built-in Defender antimalware stack are being exploited in the wild, the second time in roughly six weeks that the company's flagship endpoint security product has had to issue an out-of-band fix for live attacks. CISA wasted no time adding both flaws to its Known Exploited Vulnerabilities catalog, and Federal Civilian Executive Branch agencies have until June 3, 2026 to remediate or explain themselves.

The headline issue is CVE-2026-41091, a privilege escalation flaw in the Microsoft Malware Protection Engine that carries a CVSS score of 7.8. The vulnerability stems from improper link resolution before file access, a class of bug commonly known as link following, and it allows an attacker who already holds a local foothold to elevate to SYSTEM. That is the same privilege Defender itself runs at, which means once an attacker pulls this off they are operating at the highest level on the box, with full visibility into every process, every file, and every credential cached in memory. Engine versions 1.1.26030.3008 and earlier are vulnerable. The fix lands in version 1.1.26040.8.

The second flaw, CVE-2026-45498, is a denial-of-service bug in the Microsoft Defender Antimalware Platform with a comparatively tame CVSS score of 4.0. It affects platform versions 4.18.26030.3011 and earlier, and Microsoft patches it in 4.18.26040.7. On its face a DoS in your antivirus sounds like the lowest tier of bad news, the kind of thing you schedule for next quarter and forget about. In practice this one matters more than the score implies. If an attacker can crash or pin Defender into a broken state, they have effectively disabled the endpoint protection product on a Windows machine without ever having to touch the policy or the registry. Combine that with a separately delivered payload and the DoS becomes the opening move in a longer kill chain. Score the engagement, not the bug.

What makes this disclosure cycle uncomfortable is that it is the second time in two months Defender has been the story instead of the solution. Back in April Microsoft scrambled to address three Defender zero-days that the security community has been calling BlueHammer, RedSun, and UnDefend. BlueHammer was tracked as CVE-2026-33825 and operated on the same general theme as the new privilege escalation. Two of the three remained unpatched for weeks after the initial disclosure, which is a long time when working exploit code is already in circulation. The optics are not great for the product that, by default, is the only thing standing between a Windows endpoint and whatever happens to walk in through a malicious office macro or a phished session cookie.

So what does exploitation actually look like for defenders trying to detect it. The privilege escalation requires that an attacker already be authenticated on the system, so this is not a remote unauthenticated RCE. They have already gotten in, by phishing, by stolen credentials, by a vulnerable application, or by piggybacking on an existing infection. From there, the link-following weakness lets them trick the Malware Protection Engine into operating on a file via a symbolic link or junction that points somewhere the attacker should not be able to write to. Defender, running as SYSTEM, follows the link and performs whatever file operation it was about to perform, but now on the attacker's chosen target. The net result is that file content the attacker controls ends up in a privileged location, or a privileged file gets overwritten or deleted. From there it is a short walk to SYSTEM code execution and full ownership of the host. Defenders should look for unusual symlink and junction creation in directories that Defender touches, particularly in user-writable locations near ProgramData, alongside any abrupt termination or restart of the MsMpEng.exe process.

The good news for most organizations is that Microsoft pushes these fixes through the same automatic update channel that delivers malware signature definitions, not through Patch Tuesday. The Malware Protection Engine and the Antimalware Platform both update silently in the background on systems configured with default Defender settings, which is to say most Windows 10, 11, and Server 2019 and later boxes that have not been touched by a heavy-handed GPO. Microsoft's own guidance is that no administrator action is required for the majority of customers. Anyone running tightly controlled environments, air-gapped networks, regulated industries with delayed update windows, or third-party EDR products that have administratively disabled Defender, needs to verify the engine and platform versions manually. The fastest check is via PowerShell using Get-MpComputerStatus and confirming that AMEngineVersion is at or above 1.1.26040.8 and AMServiceVersion is at or above 4.18.26040.7. If either is behind, force a definition update through Update-MpSignature and recheck.

Organizations that have replaced Defender with a third-party endpoint product and disabled the Microsoft engine are not affected by either flaw, and there is a quiet irony in that. The Defender team has spent the better part of a decade convincing CISOs that ripping out the built-in product in favor of CrowdStrike, SentinelOne, or Cybereason is unnecessary because Defender is enterprise-grade now. That argument got harder to make this spring. Five separate researchers are credited on the May disclosure, including Sibusiso, Diffract, Andrew C. Dorman who publishes under the handle ACD421, Damir Moldovanov, and one anonymous contributor. That is a lot of independent eyes finding overlapping classes of bug in the same engine inside of a six-week window, which suggests either Defender's attack surface is having a moment or the research community has finally decided it is worth the time. Either way, expect more.

For threat hunters the more useful angle is that local privilege escalation chains often start with low-effort initial access. The most common path into a Windows endpoint in 2026 remains phishing followed by malicious LNK or scripting payloads. An adversary who lands a foothold as a standard domain user has historically had a buffet of LPE options ranging from print spooler bugs to scheduled task abuse, and Defender LPEs now sit comfortably on that menu. Defenders running Microsoft Sentinel, Defender for Endpoint, or any reasonable SIEM should be looking for the chain rather than the individual primitive. Successful exploitation of CVE-2026-41091 will produce a brief window in which a non-privileged process writes to or modifies a path it ordinarily cannot, with Defender service activity immediately preceding the change. That telemetry exists. It is a matter of asking the right question.

Patches, as always, are necessary but not sufficient. Apply 1.1.26040.8 and 4.18.26040.7 across the fleet, confirm via Get-MpComputerStatus, and then go look at whether anyone has already used these bugs on your network. CISA's June 3 deadline applies to federal agencies, but everyone else should treat it as a reasonable internal deadline as well. Microsoft has not publicly attributed the exploitation to a specific threat actor, which usually means either the activity is opportunistic and broadly distributed or the cluster is sensitive enough that no one wants to burn it on a press release. Neither possibility is comforting.

There is also the broader question of what this run of Defender bugs means for organizations that have built their entire endpoint strategy around the built-in product. Microsoft's pitch has always been that bundling Defender into the operating system means tighter integration, faster updates, and better telemetry than any bolt-on alternative. That argument still has merit. The problem is that the same tight integration cuts both ways. When the antivirus engine itself contains a SYSTEM-level privilege escalation, the attacker does not need to find a kernel driver bug or chain together three weaker primitives. The defensive layer is the elevation primitive. That is the kind of design tradeoff worth raising the next time someone in your organization asks whether the Defender license is really good enough on its own, or whether the secondary EDR is worth the budget line.

The business angle for MSPs is straightforward. Every conversation with a client this week about endpoint protection should start with whether their Defender engine is current and whether they have any visibility at all into whether it has been tampered with. That conversation pulls in a managed EDR engagement, a vulnerability management subscription, and likely a tabletop exercise on what the team would actually do if their primary AV told them it was healthy while quietly being subverted by a six-line exploit. The follow-on sale is dark web monitoring and identity threat protection, because anyone exploiting an LPE in Defender is almost certainly there because they already got the initial foothold somewhere upstream, and that somewhere upstream is usually a leaked credential or a phished session. Lead with the vulnerability and sell the program.