Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Disrupts Zero-Day Attacks with Defender Patch Rollout

Modern tech lab with computer workstations and equipment, featuring a prominent blank laptop screen.

"The default configuration in Microsoft antimalware software helps ensure that malware definitions and the Windows Defender Antimalware Platform are kept up to date automatically," Microsoft said — even as it pushed emergency fixes for two actively exploited Defender zero-days.

Microsoft's emergency patches and affected components

On Wednesday Microsoft began shipping updates to address two zero-day vulnerabilities in its Defender stack. The first, CVE-2026-41091, is a privilege escalation bug that affects Microsoft Malware Protection Engine versions 1.1.26030.3008 and earlier. The second, CVE-2026-45498, impacts systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier — the same platform used by Microsoft System Center Endpoint Protection (including System Center 2012 R2 and System Center 2012 Endpoint Protection) and Security Essentials.

Microsoft published patched builds for the affected components: Malware Protection Engine version 1.1.26040.8 and Antimalware Platform version 4.18.26040.7, which the company says address the two flaws.

CVE-2026-41091: link-following leads to SYSTEM privileges

According to Microsoft, CVE-2026-41091 stems from an improper link resolution before file access, described in the advisory as a "link following" weakness. Successful exploitation of that condition allows an attacker to gain SYSTEM privileges on an impacted device — elevating their access to the highest local-level account on Windows hosts that are running the vulnerable Malware Protection Engine.

CVE-2026-45498: denial-of-service against unpatched endpoints

The second vulnerability, CVE-2026-45498, enables threat actors to trigger denial-of-service (DoS) conditions on unpatched Windows devices. Microsoft framed this issue as affecting the Defender Antimalware Platform and reiterated that multiple Microsoft security products rely on the same platform binaries, amplifying the surface of potentially affected installations.

CISA orders federal agencies to patch by June 3 under BOD 22-01

Yesterday the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both CVEs to its Known Exploited Vulnerabilities (KEV) Catalog and issued a directive ordering Federal Civilian Executive Branch (FCEB) agencies to secure Windows endpoints and servers within two weeks. The deadline, as mandated by Binding Operational Directive 22-01, is June 3.

CISA explained the rationale bluntly: "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," and instructed agencies to "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." CISA also noted the vulnerabilities are "actively exploited in the wild."

What this means for security teams, federal agencies, and end users

  • Security teams and technologists: Confirm that systems have received Malware Protection Engine 1.1.26040.8 or Antimalware Platform 4.18.26040.7. Microsoft advised that customers "shouldn't have to take any action" if default automatic updates are enabled, but teams should validate update settings and version numbers directly on endpoints.
  • Federal Civilian Executive Branch agencies: Must meet CISA’s BOD 22-01 deadline to secure Windows endpoints and servers by June 3, following the agency’s mitigation guidance or discontinuing products if mitigations are not available.
  • End users and administrators: Microsoft published explicit verification steps. Open Windows Security, go to Virus & threat protection → Protection Updates → Check for updates; then go to Settings → About and examine the Antimalware ClientVersion number. The update is present if the Malware Protection Platform version or signature package number matches or exceeds the fixed versions.

Microsoft’s guidance rests on two linked assertions: that updates have been released (Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7) and that the default Defender configuration will, in many cases, deploy those updates automatically. CISA’s move to add both flaws to the KEV Catalog and to require federal agencies to remediate within a strict timetable makes clear the U.S. government views these bugs as active, exploitable, and a material risk to public-sector networks.

The immediate, concrete tasks are straightforward and time-boxed: verify that the patched component versions are installed, confirm automatic update settings, and, for covered federal entities, meet the June 3 BOD 22-01 remediation deadline or apply alternate mitigations per vendor guidance. Outside the federal enterprise, administrators and users should likewise validate versions and update configuration to avoid the privilege-escalation and DoS conditions Microsoft and CISA have identified.

Original story