Microsoft Defender zero‑days exploited

CISA said on May 20 that it had added two Microsoft Defender vulnerabilities to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The agency identified the flaws as CVE-2026-41091, an elevation-of-privilege issue, and CVE-2026-45498, a denial-of-service issue. Microsoft has published fixes for both through its Security Update Guide and marked the vulnerabilities as requiring customer action. Here is the core point for defenders: these were not just disclosed bugs, but bugs CISA says were already being used in the wild when they were added to the catalog. That matters because CISA uses the KEV list to flag vulnerabilities that have crossed from theoretical risk into observed exploitation. The agency says organizations should use the catalog as an input to patch prioritization, and federal civilian agencies are required to remediate KEV-listed issues by CISA deadlines under Binding Operational Directive 22-01. (cisa.gov) CVE-2026-41091 is the more consequential of the two based on the public technical detail Microsoft has exposed. Microsoft describes it as an improper link-resolution bug in Defender that allows an authorized local attacker to elevate privileges. In its advisory data, Microsoft says a successful exploit could give an attacker SYSTEM privileges, lists the issue as publicly disclosed and exploited, and assigns it a CVSS 3.1 base score of 7.8. (cisa.gov) CVE-2026-45498 is described by Microsoft as a Microsoft Defender denial-of-service vulnerability. Microsoft’s advisory metadata says the flaw requires customer action and identifies a last affected Microsoft Defender Antimalware Platform version of 4.18.26030.3011, with a later version carrying the fix. The available search extract does not expose the full narrative advisory text, but it does confirm that Microsoft published a remediation path tied to platform versioning. (api.msrc.microsoft.com) The timing is also important. CISA published the KEV addition on May 20, 2026, and Microsoft’s advisory metadata for CVE-2026-45498 shows a current release date of May 19, 2026. That sequence indicates the vendor and the U.S. cyber agency moved on a coordinated timeline after exploitation had been identified. That is an inference from the publication dates and advisory records, rather than a stated joint timeline. (msrc.microsoft.com) For security teams, the immediate work is routine but urgent: confirm Defender platform versions, deploy Microsoft’s updated builds, and look for signs that local access or privilege escalation attempts preceded the patch window. Because one flaw can yield SYSTEM privileges and the other affects service availability, defenders would typically pair patching with endpoint telemetry review and checks for post-exploitation activity. That operational guidance is an inference based on the vulnerability types and Microsoft’s exploit status, not a direct quote from either agency. (cisa.gov) CISA said on April 22 it had already added another Microsoft Defender flaw, CVE-2026-33825, to the KEV catalog based on active exploitation. That means the May 20 additions were not an isolated Defender event but the latest in a series of exploited Defender issues CISA has flagged this year. Federal agencies now have the KEV entry and Microsoft’s update materials as the main references for remediation and tracking. (cisa.gov) (api.msrc.microsoft.com)