New Microsoft Defender 0‑Days Actively Exploited in the Wild

Two newly disclosed Microsoft Defender vulnerabilities are being actively exploited in the wild, enabling local attackers to elevate privileges to SYSTEM and potentially disrupt endpoint protection across Windows environments.

The bugs, tracked as CVE‑2026‑41091 (Elevation of Privilege) and CVE‑2026‑45498 (Denial of Service), were published on May 19, 2026, and affect core Microsoft Defender components used across all supported Windows versions.

Microsoft Defender Elevation of Privilege Vulnerability

CVE‑2026‑41091 is an “Important” elevation‑of‑privilege vulnerability caused by improper link resolution before file access (“link following”) in Microsoft Defender’s scanning logic.

An authenticated local attacker can exploit this weakness to have Defender follow crafted links or junctions and operate on attacker‑controlled paths, ultimately gaining SYSTEM‑level privileges.

Microsoft confirms that this vulnerability has been publicly disclosed and is already under active exploitation, with its exploitability index showing “Exploitation Detected.”

Successful exploitation allows threat actors to disable or tamper with security tools, deploy persistent payloads, access sensitive data, and create new high‑privilege accounts, dramatically increasing the impact of any initial compromise.

The last Microsoft Malware Protection Engine version affected is 1.1.26030.3008, with the issue addressed starting in version 1.1.26040.8.

Notably, environments where Defender is disabled may still be flagged as vulnerable by scanners because the binaries and versioned components remain on disk, even though the configuration is not considered exploitable in practice.

Microsoft Defender Denial of Service Vulnerability

The second flaw, CVE‑2026‑45498, is a Denial-of-Service vulnerability in the Microsoft Defender Antimalware Platform.

It has also been publicly disclosed and is confirmed as exploited in the wild, with “Exploitation Detected” status in Microsoft’s exploitability assessment.

By abusing this platform‑level weakness, attackers can potentially crash or impair Defender’s protection capabilities, creating a window for follow‑on attacks and stealthy persistence.

The last affected platform version is 4.18.26030.3011, with fixes shipped in version 4.18.26040.7. As with the engine bug, systems where Defender is disabled can still appear vulnerable in scan outputs due to version checks on installed binaries, even though they are not in an exploitable state.

The U.S. Cybersecurity and Infrastructure Security Agency has added both CVE‑2026‑41091 and CVE‑2026‑45498 to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring confirmed in‑the‑wild abuse.

Under Binding Operational Directive (BOD) 22‑01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities on Windows endpoints and servers by June 3, 2026, giving defenders a two‑week window from the KEV listing on May 20.

Required Actions for Defenders

Microsoft emphasizes that no separate manual security update installation is required beyond the standard Defender engine and platform update mechanisms, which are designed to update automatically and frequently.

However, organizations are urged to verify that updates are actually being delivered and applied as expected.

Administrators should:

• Confirm that the Defender engine version is at least 1.1.26040.8 and the Antimalware Platform version is at least 4.18.26040.7 on all endpoints.
• Use the Windows Security app to check “Virus & threat protection,” then “Protection updates,” and select “Check for updates” to force an update where necessary.
• In Windows Security → Settings → About, verify that the Antimalware Client version meets or exceeds the fixed versions.

Microsoft notes that the Defender engine is typically updated monthly, with malware definitions updated several times per day, and recommends that enterprises continuously validate their update distribution pipelines.

The update also includes additional defense‑in‑depth improvements beyond the specific vulnerability fixes.

Given that Microsoft Defender is deployed by default on all supported Windows versions and reused across products such as Microsoft System Center Endpoint Protection and Microsoft Security Essentials, these actively exploited 0‑day flaws represent a high‑value target surface for threat actors.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.