Skip to main content
Emerging Threats

Microsoft Discloses Actively Exploited Defender Vulnerabilities

Windows Defender workstation in office setting with blurred laptop screen and cityscape view.

"Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally," Microsoft said in an advisory.

CVE-2026-41091: a local privilege escalation in Microsoft Defender

Microsoft disclosed that CVE-2026-41091, a privilege escalation vulnerability in Microsoft Defender, is under active exploitation in the wild and carries a CVSS score of 7.8. According to the advisory, successful exploitation could allow an attacker to gain SYSTEM privileges. Microsoft credited five reporters with discovering and disclosing the issue: Sibusiso, Diffract, Andrew C. Dorman (aka ACD421), Damir Moldovanov, and an anonymous researcher.

CVE-2026-45498: a denial-of-service bug also exploited

The company also flagged CVE-2026-45498, a denial-of-service vulnerability in Microsoft Defender, as being actively exploited; that bug is rated 4.0 on the CVSS scale. Both Defender defects have been addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively.

Update mechanics and scope: what installs and what is not vulnerable

Microsoft said that systems that have disabled Microsoft Defender are not susceptible to these vulnerabilities. The advisory further states that no action is required to install the update because malware definitions and the Microsoft Malware Protection Engine update automatically. Microsoft provided explicit steps users can follow to confirm they are receiving the latest platform and definition updates:

  • Open the Windows Security program.
  • In the navigation pane, select Virus & threat protection.
  • Then click on Protection Updates in the Virus & threat protection section updates.
  • Select Check for updates.
  • In the navigation pane, select Settings, and then select About.
  • Examine the Antimalware ClientVersion number.

CISA action: Known Exploited Vulnerabilities catalog and the FCEB deadline

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) catalog. That listing triggers a binding requirement for Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 3, 2026. Microsoft also noted that, at the time of the advisory, there were no public details on the methods being used to exploit these vulnerabilities in the wild.

Other aging flaws added to KEV this week

Alongside the Defender issues, CISA also added four older Microsoft vulnerabilities to KEV and one Adobe issue, underscoring the catalog's widening scope. The items listed are:

  • CVE-2010-0806 — Microsoft Internet Explorer use-after-free allowing remote code execution.
  • CVE-2010-0249 — Microsoft Internet Explorer use-after-free allowing remote code execution.
  • CVE-2009-1537 — Microsoft DirectX NULL byte overwrite in the QuickTime Movie Parser Filter in quartz.dll, enabling remote code execution via a crafted QuickTime media file.
  • CVE-2008-4250 — Microsoft Windows buffer overflow in the Windows Server Service that allows remote code execution via a crafted RPC request.
  • CVE-2009-3459 — Adobe Acrobat and Reader heap-based buffer overflow that could allow remote code execution via a crafted PDF file triggering memory corruption.

These entries join a recent, separate Microsoft disclosure: last week Redmond reported that CVE-2026-42897, a cross-site scripting flaw affecting on-premise Exchange Server (CVSS 8.1), had been weaponized in real-world attacks—bringing the count to three Microsoft vulnerabilities flagged as exploited within a week.

What this means for technologists, FCEB agencies, and end users

Technologists and security teams: confirm Antimalware ClientVersion numbers and that Microsoft Malware Protection Platform and definition updates are being downloaded and applied, and verify the presence of Defender Antimalware Platform versions 1.1.26040.8 or 4.18.26040.7 where relevant.

Federal Civilian Executive Branch (FCEB) agencies: CISA's KEV listing imposes a requirement to apply the fixes by June 3, 2026, creating a clear, time-boxed compliance obligation tied directly to these Defender fixes.

End users and administrators: note Microsoft's statement that systems with Microsoft Defender disabled are not susceptible, and that Microsoft says no manual action is required because updates for definitions and the Malware Protection Engine are automatic; users can, however, use the Windows Security steps Microsoft published to confirm their client version.

Microsoft's disclosure and CISA's KEV additions together create a compact but consequential timeline: multiple exploited Microsoft vulnerabilities reported within a short span, formal KEV listings—including several legacy flaws—and an explicit federal remediation deadline. For organizations with Defender enabled, the immediate task is verification: confirm the platform versions and Antimalware ClientVersion, and ensure FCEB deadlines and internal patching workflows align with the June 3, 2026 requirement.

Original story