Microsoft Defender Zero-Days Actively Exploited; Added to CISA KEV

Microsoft has disclosed two actively exploited vulnerabilities in Microsoft Defender—a privilege escalation flaw and a denial-of-service bug—both now under active exploitation in the wild. The first, tracked as CVE-2026-41091 with a CVSS score of 7.8, allows attackers to achieve SYSTEM-level privileges through improper link resolution before file access, specifically a link-following vulnerability in Microsoft Defender's file handling mechanisms. The second flaw, CVE-2026-45498 (CVSS 4.0), is a denial-of-service vulnerability impacting Defender's antimalware functionality. Five researchers contributed to the discovery: Sibusiso, Diffract, Andrew C. Dorman (aka ACD421), Damir Moldovanov, and an anonymous contributor. Organizations should perform a comprehensive privacy checkup to ensure their security configurations are properly hardened against these threats.

Both vulnerabilities have been addressed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7, respectively. Microsoft noted that systems with Microsoft Defender disabled are not susceptible. The tech giant emphasized that no manual action is required for the update, as it automatically deploys malware definitions and the Microsoft Malware Protection Engine. Users can verify their protection status by navigating to Windows Security > Virus & threat protection > Protection updates > Check for updates, then checking the Antimalware ClientVersion under Settings > About. The update represents a critical security patch that organizations should prioritize implementing immediately.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply remediation by June 3, 2026. CISA also added four additional legacy Microsoft vulnerabilities to the KEV catalog: CVE-2010-0806 and CVE-2010-0249 (both Internet Explorer use-after-free flaws enabling remote code execution), CVE-2009-1537 (Microsoft DirectX NULL byte overwrite in QuickTime Movie Parser Filter via quartz.dll), and CVE-2008-4250 (Windows buffer overflow vulnerability). Administrators can use tools like port scanner to identify exposed services and ensure proper patching cadence. No technical details regarding the exploitation methodology in active attacks have been publicly disclosed.