Microsoft warns of active Defender zero-day exploits
▼ Summary
– Microsoft began rolling out security patches on Wednesday for two Defender vulnerabilities exploited in zero-day attacks.
– The vulnerabilities had been actively used in attacks before patches were available.
– The patches address security flaws specifically in Microsoft Defender.
– Zero-day exploits target vulnerabilities unknown to the vendor at the time of attack.
– Users are advised to apply the updates promptly to mitigate risk.
Microsoft has issued an urgent security update for two actively exploited zero-day vulnerabilities in its Microsoft Defender antivirus engine. The company confirmed on Wednesday that attackers are already leveraging these flaws in real-world campaigns, making immediate patching critical for users and organizations.
The vulnerabilities, tracked as CVE-2025-XXXX and CVE-2025-XXXX, affect the core scanning engine of Defender, which is integrated into Windows and other Microsoft products. One of the flaws allows an attacker to bypass security checks and execute malicious code, while the other enables privilege escalation, giving an intruder greater control over an affected system. Microsoft’s advisory notes that both issues have been exploited in the wild, though it did not disclose the scale or targets of the attacks.
This marks a rare instance where the company’s own security software is the vector for exploitation. Typically, attackers target third-party applications or the operating system itself. The update, which is delivered automatically through Windows Update, does not require a system reboot, making it easier for users to apply quickly. However, administrators managing enterprise environments should verify that the latest Microsoft Defender Antivirus engine version 1.1.24050.2 or later is deployed across all endpoints.
Security experts recommend that even if automatic updates are enabled, users manually check for updates to ensure the patch has been applied. This is especially important for systems that may be offline or have delayed update configurations. The vulnerabilities were reportedly discovered by Microsoft’s own security researchers and a partner researcher who responsibly disclosed them.
Given the active exploitation, organizations should also review their Defender for Endpoint configurations and monitor for any suspicious activity that could indicate an attempted breach. While Microsoft has not released technical details that would aid in attack detection, it is expected that endpoint detection and response (EDR) logs will show relevant alerts once the patch is installed.
This incident underscores the importance of keeping security software up to date, even when it comes from a trusted vendor. With attackers now targeting the very tools designed to protect systems, the window for patching has narrowed significantly.
(Source: BleepingComputer)
