Microsoft Defender zero-days active

Microsoft’s latest Defender warning matters because the product being targeted is not a browser, VPN or edge appliance. It is the endpoint protection stack itself. On May 21, Microsoft disclosed two Defender vulnerabilities under active exploitation: CVE-2026-41091, a local privilege-escalation flaw, and CVE-2026-45498, a denial-of-service issue. (thehackernews.com) Microsoft said the bugs are fixed in Microsoft Defender Antimalware Platform version 4.18.26040.7 and Microsoft Malware Protection Engine version 1.1.26040.8. (cisa.gov) That combination changes the response. Security teams are not just patching a Windows component; they are checking whether the controls they rely on for detection and prevention are current, healthy and still reporting. (thehackernews.com) CISA has already added both CVEs to its Known Exploited Vulnerabilities catalog, which is the U.S. government’s signal that the flaws are being used in real attacks. ### Which two bugs are involved, and what can each one do? CVE-2026-41091 is the higher-impact issue. Microsoft described it as an improper link resolution, or “link following,” flaw in Microsoft Defender that allows an authorized attacker to elevate privileges locally, and The Hacker News reported Microsoft rated it 7.8 on the CVSS scale. (thehackernews.com) Successful exploitation could let an attacker gain SYSTEM privileges on a machine. CVE-2026-45498 is the second issue. Microsoft and follow-on reporting described it as a denial-of-service vulnerability affecting Defender, meaning an attacker could disrupt the security product rather than directly seize full control through that flaw alone. BleepingComputer reported Microsoft began rolling out fixes on Wednesday, May 21. (cisa.gov) ### Why are defenders paying close attention if one bug is “only” denial of service? Endpoint security teams treat availability failures in protection tools as operationally important because a crashed or impaired security service can create visibility gaps during an intrusion. Microsoft has not publicly described the attack chain or released exploitation details, but it has confirmed both vulnerabilities are being exploited in the wild. (thehackernews.com) CISA’s May 20 addition of both CVEs to the KEV catalog is another reason the story is getting attention. CISA says the catalog is its authoritative list of vulnerabilities known to have been exploited in the wild, and federal civilian agencies are required to remediate listed flaws by the due date. (thehackernews.com) For these two Defender issues, that date is June 3, 2026. ### What did Microsoft say customers should do now? Microsoft said no separate manual patch workflow is required if Defender updates are functioning normally, because malware definitions and the Microsoft Malware Protection Engine update automatically. The company told users to open Windows Security, go to Virus & threat protection, check Protection Updates, and confirm the client and engine versions under Settings and About. (thehackernews.com) That guidance makes version verification the immediate task. Organizations that tightly control endpoint update rings, run disconnected systems, or have disabled Defender on some assets will need to confirm whether those machines received platform and engine updates, because Microsoft said systems with Defender disabled are not susceptible to the vulnerabilities. (cisa.gov) ### What is still unknown about the attacks? Microsoft has not published technical details on how the vulnerabilities are being exploited, and The Hacker News said there are currently no public details on the in-the-wild abuse. Microsoft credited Sibusiso, Diffract, Andrew C. Dorman, also known as ACD421, Damir Moldovanov and an anonymous researcher with discovering and reporting the flaws. (thehackernews.com) The next concrete checkpoint is June 3, 2026, the KEV remediation deadline CISA assigned for federal agencies. Before then, defenders can confirm Microsoft Defender Antimalware Platform version 4.18.26040.7 and Microsoft Malware Protection Engine version 1.1.26040.8 are installed across affected endpoints. (thehackernews.com) (cisa.gov)