Microsoft patches Defender antivirus zero-day exploited in the wild


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Microsoft has addressed a zero-day vulnerability in the Microsoft Defender antivirus, exploited in the wild by threat actors before the patch was released.

Zero-days are vulnerabilities actively exploited in the wild before the vendor issues an official patch or bugs that have publicly available proof-of-concept exploits.

The zero-day patched today by Microsoft is being tracked as CVE-2021-1647 and it is a remote code execution (RCE) found in the Malware Protection Engine component (mpengine.dll).
Defender security update installs automatically

Redmond's advisory also adds that customers don't need to take any action to install the CVE-2021-1647 security update as it will install automatically on systems running vulnerable Microsoft Defender versions.

"In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine," Microsoft says.

Microsoft Defender keeps both the Malware Protection Engine (the component used for scanning, detection, and cleaning) and malware definitions automatically up to date for both enterprise deployments as well as end-users.

Usually, Microsoft Malware Protection Engine updates are released once a month or when needed to protect against newly discovered threats while malware definitions are updated three times per day.

Even though Microsoft Defender can check for engine and definition updates several times a day, users can also manually check at any time if they want to immediately install the security update.


Level 64
Honorary Member
Top poster
Content Creator
Apr 24, 2016
From that article:
Microsoft says that a proof-of-concept exploit for this zero-day is available, although exploitation might not be possible on most systems or the PoC might fail in some situations.

The last Microsoft Malware Protection Engine version affected by this vulnerability is version 1.1.17600.5. The zero-day was addressed in version 1.1.17700.4.

More details on how to verify the Malware Protection Engine version number are available here. Systems that aren't affected by this vulnerability should run Microsoft Malware Protection Engine version is 1.1.17700.4 or later.

"Customers should verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded and installed for their Microsoft antimalware products," Microsoft says.

ForgottenSeer 89360

Microsoft’s Patch Tuesday monthly security patches includes one for the Microsoft Defender antivirus, exploited prior to patch release. This allows an attacker to execute code on vulnerable devices, where Defender is installed.

Details at a glance: CVE-2021-1647​

  • This vulnerability has been exploited in the wild.
  • Low or no privileges are required for attack success.
  • User interaction is not required.
  • There is a critical impact to confidentiality, availability, and integrity of exploited systems.
Last edited by a moderator: