Microsoft disclosed active exploitation of a privilege‑escalation bug (CVE‑2026‑41091) and a denial‑of‑service flaw (CVE‑2026‑45498) in Defender. Both are patched, but rapid verification and update steps are essential, especially for federal systems required to comply with CISA’s KEV deadline.
Two Defender Flaws Under Active Attack
Microsoft’s latest security advisory confirms that threat actors are already weaponizing two defects in the Windows Defender Antimalware platform. The first, CVE‑2026‑41091, is a privilege‑escalation issue rated 7.8 on the CVSS scale. It stems from improper link resolution before file access – essentially, Defender follows a symbolic link that points to a privileged location, allowing an attacker with local access to obtain SYSTEM rights.
The second flaw, CVE‑2026‑45498, carries a CVSS score of 4.0 and triggers a denial‑of‑service condition that can crash the antimalware service, temporarily disabling real‑time protection. Both vulnerabilities are being exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add them to the Known Exploited Vulnerabilities (KEV) catalog.
Expert Context
“Link‑following bugs are a classic privilege‑escalation vector because they let an attacker manipulate the file system’s trust model,” explains Dr. Maya Patel, senior security researcher at the SANS Institute. “In Defender’s case, the bug bypasses the component that normally validates the target of a file operation, giving a low‑privilege user a shortcut to SYSTEM.”
CISA’s advisory stresses that federal agencies must apply the patches by June 3 2026. While the fixes are already rolled out via the standard Defender update channel, many organizations still run legacy Windows images that have automatic updates disabled, leaving them exposed.
How the Vulnerabilities Are Exploited
CVE‑2026‑41091 – Attackers first gain a foothold on a workstation (e.g., through phishing or a vulnerable service). They then create a symbolic link that points to a privileged file or directory. When Defender processes the link during a scan, it inadvertently opens the target with SYSTEM privileges, allowing the attacker to inject malicious DLLs or modify security settings.
CVE‑2026‑45498 – A crafted file triggers an unchecked exception inside the Defender engine, causing it to terminate. The resulting gap in protection can be leveraged to deliver additional payloads before the service restarts.
Both techniques are lightweight and can be delivered silently, which explains the rapid adoption by threat groups.
Immediate Mitigation Steps
Even though the patches are delivered automatically, verify that your machines are actually running the updated components:
- Open Windows Security → Virus & threat protection.
- Click Protection updates and select Check for updates.
- In the left pane, go to Settings → About and note the Antimalware client version.
- Versions 1.1.26040.8 (privilege‑escalation fix) and 4.18.26040.7 (DoS fix) indicate you are patched.
- If the version numbers are older, force a manual update or download the latest definition package from the Microsoft Update Catalog.
- For systems that have Defender disabled, consider re‑enabling it or deploying a third‑party endpoint solution that receives regular updates.
Broader Context: A Week of Exploited Microsoft Flaws
Defender is not the only product under attack. Within the same week, Microsoft disclosed:
- CVE‑2026‑42897 – An XSS flaw in on‑premises Exchange Server (CVSS 8.1) actively exploited via malicious email payloads.
- Four legacy vulnerabilities from 2008‑2010 (IE, DirectX, Windows Server Service) were added to the KEV catalog, highlighting that older, unpatched software remains a lucrative target.
The pattern shows threat actors rapidly shifting to any unpatched Microsoft component, reinforcing the need for a continuous patch management program.
Practical Takeaways for Security Teams
| Action | Why It Matters |
|---|---|
| Automate Defender updates | Guarantees the latest antimalware engine and definition files are applied without manual intervention. |
| Inventory legacy Windows installations | Older OS builds may not receive automatic Defender updates and could still be vulnerable to the legacy CVEs listed above. |
| Enable Windows Event Forwarding | Monitor Event ID 5007 (Defender service start/stop) and Event ID 3002 (malware detection) for anomalies that could indicate exploitation attempts. |
| Leverage CISA’s KEV feed | Integrate the KEV catalog into your vulnerability management tool to prioritize remediation of actively exploited flaws. |
| Test patches in a staging environment | Even well‑behaved updates can introduce regressions; a quick sanity check prevents unexpected downtime. |
Looking Ahead
Microsoft’s rapid patch cycle and the inclusion of these bugs in the KEV catalog are encouraging signs, but the fact that attackers are already exploiting them underscores a persistent gap: organizations often lag in confirming that updates have been applied. By incorporating the verification steps above and keeping an eye on CISA’s KEV updates, you can stay ahead of the next wave of Defender‑related attacks.
For deeper technical details, see Microsoft’s official advisory here and the CISA KEV listing here.
Comments
Please log in or register to join the discussion