Microsoft Defender Flaws Exploited in Active Attacks (CVE-2026-41091, CVE-2026-45498)
▼ Summary
– Two Microsoft Defender vulnerabilities, CVE-2026-41091 (local privilege escalation) and CVE-2026-45498 (denial-of-service), are being actively exploited and have been added to CISA’s Known Exploited Vulnerabilities catalog.
– CVE-2026-41091 allows an attacker to gain SYSTEM privileges by exploiting how the Microsoft Malware Protection Engine resolves links, while CVE-2026-45498 can disable Microsoft Defender.
– Both flaws have been patched: CVE-2026-41091 in Microsoft Malware Protection Engine v1.1.26040.8, and CVE-2026-45498 in Microsoft Defender Antimalware Platform v4.18.26040.7.
– A researcher released proof-of-concept exploits for three additional Microsoft Defender vulnerabilities (BlueHammer, RedSun, UnDefend), which have been observed in use by attackers.
– CISA mandated that U.S. federal civilian agencies apply the patches for the two exploited flaws by June 3, 2026, or discontinue use of the affected products.
Attackers are actively exploiting two Microsoft Defender vulnerabilities, CVE-2026-41091 and CVE-2026-45498, with Microsoft confirming the activity and CISA adding both to its Known Exploited Vulnerabilities catalog.
The first flaw, CVE-2026-41091, is a local privilege elevation (LPE) bug. It stems from the Microsoft Malware Protection Engine improperly resolving links before accessing files. According to Microsoft, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” The second issue, CVE-2026-45498, can trigger a denial-of-service (DoS) state, effectively preventing Microsoft Defender from functioning correctly.
Microsoft states that both vulnerabilities are publicly disclosed and have been exploited in the wild. CVE-2026-41091, alongside a third remote code execution flaw (CVE-2026-45584), impacts Microsoft Malware Protection Engine v1.26030.3008. These were resolved in version v1.1.26040.8. CVE-2026-45498 affects the Microsoft Defender Antimalware Platform, a collection of user-mode binaries and kernel-mode drivers that run on top of Windows to keep devices protected. That fix arrived in version v4.18.26040.7.
Microsoft noted that for enterprise deployments and end users, the default configuration in Microsoft antimalware software ensures that malware definitions and the Malware Protection Engine are kept up to date automatically. This update also includes defense-in-depth improvements to bolster security-related features. The same applies to the Microsoft Defender Antimalware Platform. Both the Protection Engine and the Antimalware Platform are used by Microsoft Defender, as well as by System Center Endpoint Protection and Microsoft Security Essentials (though the latter may still run on old, unsupported Windows versions and is no longer updated).
By adding these two exploited flaws to its KEV catalog, CISA mandated that by June 3, 2026, US federal civilian agencies must either apply Microsoft’s patches or drop the product entirely.
On April 3 and 15, a disgruntled security researcher known as Nightmare Eclipse released proof-of-concept exploits for three Microsoft Defender vulnerabilities: BlueHammer (an LPE flaw), RedSun (another LPE), and UnDefend (a DoS vulnerability). Huntress incident responders have observed an attacker leveraging these exploits. BlueHammer, which received the identifier CVE-2026-33825 and has been patched, was added to CISA’s KEV catalog in late April. Researchers Zen Dodd and Yuanpei Xu were credited with reporting it. Microsoft thanked several researchers for flagging CVE-2026-41091, but none for CVE-2026-45498. Two days ago, Microsoft shared mitigation advice for CVE-2026-45585 (aka YellowKey), a BitLocker bypass flaw for which Nightmare Eclipse also published a PoC exploit.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats.
(Source: Help Net Security)
