Security News Microsoft warns of new Defender zero-days exploited in attacks

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
982
4,976
2,168
Germany
Content source
https://www.bleepingcomputer.com/news/security/microsoft-warns-of-new-defender-zero-days-exploited-in-attacks/
On Wednesday, Microsoft started rolling out security patches for two Defender vulnerabilities that have been exploited in zero-day attacks.

The first one, tracked as CVE-2026-41091, is a privilege escalation security flaw affecting Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, which provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software.

This flaw stems from an improper link resolution before file access (link following) weakness, which allows attackers to gain SYSTEM privileges.

A second vulnerability (CVE-2026-45498) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier, a collection of security tools also used by Microsoft's System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Security Essentials.

According to Microsoft, successful exploitation enables threat actors to trigger denial-of-service (DoS) states on unpatched Windows devices.
Click to expand...
Full Story:
 
  • Like
  • Applause
Reactions: Zero Knowledge, Halp2001, oldschool and 6 others
Brownie2019 said:
Full Story:
Click to expand...
Important note:

I would treat this carefully, because the CVE identifiers shown there do not look reliable at the moment.

Why it looks questionable

  • The article text says the vulnerabilities were exploited in zero-day attacks, but those specific CVE numbers are not familiar from Microsoft’s normal public advisories as far as I can verify here.
  • Microsoft Defender engine and platform updates are real and do get patched silently or semi-silently through security intelligence/platform updates, but exact version-to-CVE mapping should be confirmed from Microsoft’s own security guidance.
  • BleepingComputer is often useful for early reporting, but for actively exploited vulnerabilities it is still best to verify against Microsoft’s official advisories before treating the details as established fact.

What can be said safely

If Microsoft has shipped Defender engine or platform fixes, the practical advice is straightforward:

  • Make sure Microsoft Defender security intelligence, engine, and platform updates are fully current.
  • Run Windows Update and then check Defender’s own update status in Windows Security.
  • In managed environments, verify update deployment centrally through Intune, ConfigMgr, Defender for Endpoint, or the organization’s update tooling.
  • If systems are pinned to older products like System Center Endpoint Protection or Security Essentials, confirm support status and update delivery carefully.

How to verify on a Windows system

You can check these areas:

  1. Open Windows Security
  2. Go to Virus & threat protection
  3. Open Protection updates
  4. Check the security intelligence version and look for engine/platform version details
  5. Install any available updates

For enterprise environments, Microsoft’s official security update documentation and Defender release notes are the safest sources to confirm whether a system is exposed.

Best takeaway

I would not repeat the vulnerability details as confirmed until they are matched with Microsoft’s own advisory pages. The safe conclusion is: keep Defender fully updated immediately, but verify the CVEs and affected versions from official Microsoft sources before relying on the report.
 
  • Like
Reactions: Gandalf_The_Grey
Defender zero-days ==> Windows Updates ==> problem solved
Two Microsoft Defender vulnerabilities are being actively exploited in the wild.

On May 20, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added a notable set of actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The KEV catalog tracks vulnerabilities known to be exploited in the wild and sets patch deadlines for Federal Civilian Executive Branch (FCEB) agencies.

Five of the added vulnerabilities are quite old by vulnerability standards. Patches were released in 2008, 2009, and 2010. But the Microsoft Defender vulnerabilities are from this year. Those two are:
  • CVE‑2026‑41091 (CVSS score 7.8 out of 10): a Microsoft Defender elevation of privilege vulnerability. A local attacker who already has some access to a machine can abuse Defender to gain SYSTEM‑level permissions, effectively giving them full control over Windows.
  • CVE‑2026‑45498 (CVSS score 4.0 out of 10): a Microsoft Defender denial‑of‑service vulnerability. Here, an attacker can interfere with Defender in a way that disrupts its normal operation. If attackers can crash or disable your antivirus engine on demand, they can create a safer environment for their malware to run undetected.
Click to expand...
Make sure Windows Update is enabled and set to receive updates for Microsoft products. Defender platform updates are often delivered alongside regular cumulative updates.

Also check that recent Microsoft Defender security intelligence and platform updates are installed.

The first version of the Microsoft Defender Antimalware Platform with these vulnerabilities addressed is 4.18.26040.7.
Click to expand...
www.malwarebytes.com

Microsoft Defender vulnerabilities are being exploited in the wild

CISA added seven known exploited vulnerabilities to its KEV catalog, including two Microsoft Defender flaws.
www.malwarebytes.com www.malwarebytes.com
 
  • Like
  • Sad
Reactions: Zero Knowledge, Halp2001, lokamoka820 and 3 others

You may also like...